The cost of global cybercrime damage is predicted to grow by 15% per year and is projected to reach $10.5 trillion USD annually by 2025. As a result, many organizations have begun prioritizing cybersecurity competency and upskilling at every level of seniority. On top of that, a rule proposed by the SEC in April of 2022, which requires stricter qualifications for cybersecurity expertise on boards and in senior management, is tentatively scheduled to be finalized by October 2023.
As organizations across all industries prepare for this ruling the question remains – what type of qualifications constitute cybersecurity expertise? At a baseline, cybersecurity executives and board members must be well-rounded and knowledgeable and have diverse experiences across the industry. I’ve outlined some concrete credentials organizations need to look for when facing the question of how they can begin to qualify for cybersecurity expertise:
Proven, Hands on Industry Experience and Involvement
When it comes to evaluating professionals for senior cybersecurity positions, expertise should go beyond just educational background. In fact, 25% of organizations surveyed in the ISACA’s State of Cybersecurity 2022 Report responded that a university degree is not very important in their evaluation process for cybersecurity candidates, while 46% responded that this is only somewhat important to consider. On top of this, gaining knowledge and hard skills pertaining to cybersecurity is now more obtainable than ever – as high-quality information and online courses can be accessed seamlessly. With this in mind, evaluating professionals for these positions becomes a more nuanced undertaking, as those appointed to senior positions must be able to prove that their skills match what’s included on their resume.
For board members, proven industry tenure is key. At a minimum, managers and board members should have at least 15-20 years of proven and verifiable cybersecurity industry experience. Although a degree in cybersecurity or computer science is required, senior employees must be able to demonstrate direct experience in developing cyber policies, strategies, and response plans, for instance.
Specialized Training and Professional Certification
On top of diverse industry experience, board members and senior professionals should be required to undergo regular cybersecurity training and professional certification, to establish that they have achieved a fluent level of cybersecurity knowledge and leadership ability. Within the cybersecurity profession, upskilling and constant education is critical – as the threat landscape continues to evolve rapidly. As a new ransomware attack happens nearly every 14 seconds, training and certification surrounding these attacks is paramount – to ensure that cybersecurity leaders and board members are fully equipped to mitigate potential attacks.
Achieving a number of prominent industry certifications – through programs including the Certified Information Privacy Professional (CIPP) and Certified Information Systems Security Professional (CISSP) – should be required when evaluating senior employees and board members to validate their technical skills and commitment to meeting industry standards. Involvement in cybersecurity-related boards, forums, and community groups, such as the Cloud Security Alliance (CSA), Information Systems Audit and Control Association (ISACA), and Information Systems Security Association (ISSA) is helpful too.
The Leadership of Security Audit Initiatives
Security audits including ISO, SOC 2 Type II, CSA STAR, IRAP, FedRAMP and StateRAMP – are now critical to undergo as organizations must be able to verify that their data practices are secure. As cyber threat mounts, organizations across all industries are looking to undergo these rigorous audits to validate commitment to security – meaning that leadership experience with any number of these security audits is a must-have. With this, cybersecurity leaders should be required to show experience in guiding an organization through one or more of these security audits – as they verify both attention to detail and dedication to the highest security standards.
Organizations should also consider requiring certifications that meet the unique standards of their specific industry – to ensure that anyone being evaluated for a cybersecurity role also has more specialized knowledge regarding which threats and policies are prevalent. For example, a retail company may face some significant differences in cyber threats from a software provider – therefore, cybersecurity professionals should also be required to gain this industry-specific knowledge to lead effectively.
Opportunity for All
Beyond just required attributes – it’s critical to provide equal opportunity for all when considering candidates for cybersecurity management or boards. For instance, a 2021 study by Boston Consulting Group found that women account for 38% of workers in STEM jobs, but only about 25% of the cybersecurity workforce. Boards should strive to have more female representation, with a specific goal or requirement tied to it. As diverse perspectives help bring more ideas and viewpoints to the table, companies across every industry should strive to foster inclusion and equity when it comes to appointing senior cybersecurity professionals or board members. I am personally passionate about advocating for women in male-dominated industries and have demonstrated a commitment to supporting women in security by leading a team made up of 50% women.
Ultimately, more comprehensive requirements should be put in place to ensure that boards are comprised of individuals that are able to protect their organization from cyber-attack, develop effective security policies, and allocate resources efficiently. Board members should have more well-rounded experience across areas of cybersecurity and business. Since cybersecurity is now a priority for boards across all industries, board members – regardless of professional background, must be well-rounded in current security threats and implications, and be willing to undergo further education and upskilling around security strategy and developing threats. As the SEC looks to tighten restrictions around these qualifications, organizations across all industries should do the same, to safeguard their most sensitive data, people and long-term success.