Events
2019
Mar 5 - RSA - Trusted Digital Supply Chains, Speaker & Moderator, Australia & New Zealand Trade Event
Jan 21 - SailPoint Technologies SKO, Austin, TX. Keynote Speaker
2018
Sept 29 - Oct 2 - NACD Global Board Leaders’ Summit, the largest and most significant director forum in the world. Speaker on 3 panels: cybersecurity governance, digital transformation, and cyber as a growth engine. https://summit.nacdonline.org/2018-summit-recap
August: SINET 16 Innovation Award - Silicon Valley - Judging Committee
Jul 24: The Enterprise CISO Roundtable - New York City - Program Moderator
May 10: Plug n Play Summit - Silicon Valley - Cybersecurity Keynote
Mar 7-8: SINET IT Security Entrepreneur's Forum - Silicon Valley - Panel Moderator The Cybersecurity, AI, and Blockchain Investment Landscape: A Venture Capitalist Perspective
Jan 29: SailPoint Technologies SKO, Dallas, TX. Keynote Speaker. Keynote Guest Speaker
Publications
Boards Create Cybersecurity Committees to Watch for Threats, Assess Company Defenses
Wall Street Journal Pro Cybersecurity, Nov. 28, 2018. By Kim S. Nash
Corporate boards are increasing oversight of cybersecurity as damages and regulatory pressure stack up after major breaches. A handful of boards are creating committees specifically dedicated to scrutinize cybersecurity.
These cyber committees concentrate expertise on evaluating defensive and offensive efforts by executives and on elevating the topic at general board meetings. The committees are rare at large public companies. Among the 50 biggest U.S. public companies by revenue, General Motors Co.’s board is alone in running a cybersecurity committee, according to a WSJ Pro Cybersecurity review of regulatory filings.
A designated committee for cybersecurity can assess how company leaders protect data and systems, as well as how well they anticipate potential threats, said Jim Pflaging, chairman of a board-level cybersecurity committee at SailPoint Technologies Holdings Inc.
“We’re hearing from the SEC that cybersecurity is the number one issue affecting corporate governance today. Those are pretty strong words,” said Mr. Pflaging, managing partner at Cynergy Partners Inc., which advises boards on cybersecurity and risk. SailPoint, which makes identity management tools, created its cyber committee in May.
Since the Securities and Exchange Commission in February published guidance for companies to report more details about cybersecurity threats, many companies have disclosed more information about how they manage security. This has prompted directors to question closely senior technology leaders at board meetings, said James Lam, president of board advisory firm James Lam and Associates, and a director at E*Trade Financial Corp. since 2012.
Cursory presentations from CIOs and CISOs about the number of malware attacks or intrusion attempts in a given time period won’t cut it, Mr. Lam said. He asks for details about business risk, such as a calculation of potential loss from a given cyber threat. “If CISOs push back,” he said, “I find that unacceptable as a director,” he told WSJ Pro Cybersecurity in October.
Spotting cyber risks in new markets
The ability to spot disruptive risks is critical but difficult for directors, according to research by the National Association of Corporate Directors. In a poll of 146 directors this year, 46% of directors said focusing on known risks gets in the way of identifying emerging ones, including those related to cybersecurity. Just 19% said they were extremely or very confident in management’s ability to address such atypical risks.
Cybersecurity is a disruptive risk, said Friso van der Oord, NACD’s director of research and editorial. “The nature and types of threats are constantly changing and are very difficult to anticipate.”
General Motors formed a cybersecurity committee in November 2017 to oversee overall cyber risk in operations. Also an impetus, according to GM’s most recent proxy filing: The company’s moves into self-driving cars. The new business, the board noted, must entail protection of GM’s products, customer data and intellectual property.
Linda Gooden, a GM director since 2015 and former executive vice president at Lockheed Martin Information Systems and Global Solutions Inc., chairs the new cyber committee. Other members are Adm. Michael Mullen, former chairman of the U.S. Joint Chiefs of Staff; and Thomas Schoewe, former CFO of Walmart Inc.
In its two meetings as of the filing of its proxy statement in April, the committee had reviewed GM’s key cybersecurity risks and programs and approved a ransomware policy, among other tasks.
The GM board transferred cyber oversight from its audit and risk committees. But audit and risk are by far the most common committees that handle cybersecurity matters. Some companies recently have added or expanded responsibilities for security there, including Ford Motor Co. and CVS Health Corp. FedEx Corp. in 2000 was early among large public companies to create a committee dedicated to technology. Duties of its Information Technology Oversight committee include cybersecurity.
Tighter focus by directors in a dedicated cyber committee may help identify threats more quickly, said Mr. Pflaging, who joined SailPoint’s board in 2015. Discussions won’t be curtailed to fit in other topics during meetings, he said.
A cyber committee can help ensure that executives trying to transform their business models with artificial intelligence, blockchain or other emerging technology pay attention to related threats, he said. “Every business can and should stop to reassess how do we transform that business. Much fewer make the same leap to [determine] how to do it securely.”
============================================
Three Issues on the Corporate Cybersecurity Agenda
Wall Street Journal Pro Cybersecurity, June 28th 2018, By Jeff Stone and Kim S. Nash
"Boards generally should consider forming a committee or subcommittee to oversee cybersecurity, said Jim Pflaging, managing partner and founder at Cynergy Partners, a cybersecurity and risk management advisor.
SailPoint Technologies Holdings Inc., an identity management vendor, created a board-level cybersecurity committee in May, charged with advising management on the effectiveness of the company's security strategy. SailPoint's CIO and CISO are expected to brief the three directors in the group, including Mr. Pflaging, who chairs it. He serves on the board of several technology firms.
SailPoint's committee members plan to review the company's controls and processes for defending and protecting against cybersecurity threats and review budget, investment and staff, according to the group's charter.
Rethinking the Reporting Structure. As boards begin to play a bigger role in corporate cybersecurity, there may be a push for CISOs to report directly to them. That's not wise, said Mr. Pflaging, because directors are supposed to provide guidance about corporate strategy, not the kind of daily management needed to build a strong cyberdefense.
The CEO is often the best boss for the CISO, in part because that setup signals that cybersecurity should be prioritized, said Mr. Pflaging. But that structure does come with a drawback."