Cybersecurity Pros Deserve a Spot on Company Boards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

U.S. companies that handle sensitive consumer data should add cybersecurity professionals to their boards, a former Department of Homeland Security official told a House Commerce subcommittee Nov. 1.

Companies have been pressured by Congress and consumers to improve their cybersecurity oversight following the Equifax Inc. data breach that affected at least 143 million individuals in the U.S. Equifax recently added a cybersecurity pro to its board. Companies have also begun to focus more on cybersecurity risks when evaluating business decisions.

Failing to include board members and senior executives with cybersecurity expertise, or appointing them but not listening to what they say, poses serious risks for companies.Companies that handle sensitive data, especially consumer credit information, should have senior-level board members with cybersecurity experience, James Norton, founder and president of security consulting group Play-Action Strategies LLC and former DHS deputy assistant secretary for legislative affairs, said in response to questions from House Commerce Digital Commerce Subcommittee Chairman Bob Latta (R-Ohio). Cyberthreats should be considered at most board meetings, Norton said.

Adding Cybersecurity Executives

Companies are also adding senior-level cybersecurity executives in recognition of the significance of ongoing data security risks.

In the past, “boards have focused keenly on business drivers only and not cyber security risks,” but they are now “trending towards diversifying ranks to include” cybersecurity pros that “report directly to the CEO,” Peter Tran, general manager and senior director in the Worldwide Advanced Cyber Defense Practice at RSA Security in Boston, told Bloomberg Law Nov. 1.

The risk of burying important security professionals to corporate subcommittees “or ad hoc security councils” can cripple companies facing a data breach, he said.

Adding cybersecurity professionals to boards and in executive-level roles won’t help if their voices aren’t heard.

Cybersecurity pros “should be a critical component of the board not only in an advisory capacity but as part of the overall governing and decision process,” Tran said. The risk of not giving them enough say in actionable positions “can end up with a ‘thanks but no thanks’ scenario if security is seen as an inconvenience,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Further information on the hearing is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security