Opinion: Corporate Directors MIA in Cybersecurity Battle

September 28, 2017

Preventing future Equifax-type breaches

By Todd Thibodeaux

The roll call includes some of the biggest brand names in the business world. Target, LinkedIn, Yahoo, Home Depot, Anthem. Now Equifax adds its name to this roster of infamy.

Once again, tens of millions of innocent, trusting consumers are left in a digital lurch, with personally identifiable information stolen, financial accounts compromised and passwords pilfered.

Once again, a small number of C-level executives pay the price with their jobs, either through firings or forced retirements.

Once again, fingers are pointed at out-of-date software, faulty hardware, careless employees or incompetent contractors as the cause of the breach.

And once again, a group of individuals who should be front and center in cybersecurity discussions stays silently in the background.

It’s become far too easy – almost standard practice – for boards of directors to scapegoat CIOs, CISOs and IT teams when avoidable data breaches like the one at Equifax occur.

Should the internal team at Equifax have implemented security patches in a timely manner; enforced stricter password policies; and taken any number of other common sense security safeguards? Absolutely.




  • Mandate regular cybersecurity training throughout the organization. It can’t be just a one-off when new employees are hired. It has to be ongoing – annually at a minimum – so employees are kept aware of the latest cyber threats and the counter measures they can take. Cybersecurity training should become as much a part of the corporate culture as diversity training and fire drills.
  • Take a more active role in the oversight of the organization’s cybersecurity practices. Is the company following the NIST Cybersecurity Framework? If not, why not? Does the company have disaster recovery and business continuity plans in place in the event of an attack or breach? Does the company have a communications plan in place? While the board may not be responsible for designing and developing these plans, it is their responsibility to assure that senior management has such plans are in place?
  • Elevate the importance of cybersecurity. Given the potential risks involved – financial losses, damage to reputation, etc. – cyber readiness has to be a regular agenda item and discussion topic whenever the board meets. And perhaps it requires the creation of a board cyber committee, similar to the audit committee.

But should the company’s board of directors hold some responsibility for not ensuring the organization followed proper adherence to best security practices, including maintaining a verifiable audit trail? The answer, again, is absolutely.

When financial issues are involved there is direct accountability for the board because they are responsible for hiring (or firing) auditors. Yet in cases of cyber breaches, too often boards plead ignorance and stay silent, even though the hit to reputation and financial ramifications are far more reaching and damaging than any typical accounting irregularity.

Equifax, which put at risk the personal information of up to 143 million Americans, is now the subject of inquiries by the U.S. Justice Department, the Consumer Financial Protection Bureau, the Federal Trade Commission and at least 34 state attorneys general. Three congressional committees indicated they would open hearings. More than 50 class action lawsuits have been filed against Equifax as a result of the hack.

It’s long past time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side. It should be standard practice for boards of directors to have standing cyber protection committees. What are boards signaling when they aren't making this a priority?

Corporate boards have not taken as strong a leadership role in this as they should. Perhaps it’s due to fear of the unknown. Most board members can decipher a balance sheet. But do they know what a penetration test is? Do they know how important corporate intellectual property is being safeguarded? Do they know if their company is following the best practices of the National Institutes of Standards and Technology (NIST) Cybersecurity Framework?

The answer to all three is likely no!

The tech industry is doing everything it can to provide products and services to combat cyber threats as they emerge. But companies have to be willing to use these tools and enforce the best practices detailed in the NIST Cybersecurity Framework.

Published in 2014, and currently undergoing a comprehensive update, the framework helps organizations better manage and reduce cybersecurity risk.

Human error continues to be the primary issue in most breaches. Yet only about half of the Fortune 5000 companies provide cyber training for their employees to help them understand how to be better cyber citizens. Everyone, at all levels from the boardroom to the warehouse, need to play their part.

Unfortunately, too many companies still choose to roll the dice, hoping they don’t get hit or persist in the mindset of It can’t happen to me. That’s an irresponsible position to take for any organization, let alone for one that holds sensitive consumer information.

Companies in consumer services, financial services and health services must do more to protect themselves – and their customers – than any other industry. These are the “honeypots” for hackers, frequently the points of greatest vulnerability. If these companies aren’t doing 10 times more than they need to do to protect themselves, they’re not doing enough.

The impetus for corporate behavior change may be determined in the court of law. Rolling the dice is a rational strategy when you face no specific civil penalties. So far, the courts have generally sided with companies who’ve been able to successfully demonstrate they were "doing all they can."

But the Equifax breach may be a tipping point where judges and juries start to see that those arguments don't hold water. Civil judgments in favor of large classes of plaintiffs and against corporate officers and directors may be the sea change that prompts organizations to devote more attention to their cyber readiness

Todd Thibodeaux is President and Chief Executive Officer of CompTIA, the ICT industry trade association. Before joining CompTIA in July 2008, Thibodeaux spent more than 17 years with the Consumer Electronics Association, where he served in a wide range of roles culminating as its Senior Vice President of industry relations.


Todd, excellent appraisal of the overall situation in the U.S.! I'd add that we currently don't have the right regulatory structure in place to motivate boards and senior executives to take responsibility for managing cyber risk and protecting customers' data. The great episodes of fraud committed by Enron and the like in the late 90s led to passage of the Sarbanes-Oxley Act of 2002. The recent cyber breaches and poor cyber leadership at Equifax and Yahoo cry out for a "cyber Sarbanes-Oxley."