How Should Boards Leverage Internal & External Cyber Experts?

Inside Americas Boardrooms
With in-depth operational and technology experience (including positions of CIO and CTO) and years of P&L responsibility, Martin Davis checks the box in a skills matrix for a ''cyber'' or ''technology expert.'' Too often, however, boards can feel like their duty is done once they onboard a cyber expert.

Given the rapid evolution of today's cyber risk environment, how much should boards expect from their cyber-savvy board members? And when should they bring in an outside expert? Davis, who currently serves on the board of South State Corporation, talked with Inside America's Boardrooms host TK Kerstetter on how to set realistic expectations-and ways to put your board ahead of the curve.

Recruiting the right expertise-with the right expectations

''The role of the board is to ensure that the cyber posture and risk profile of the company is acceptable by the board. So you're really just asking questions of the management team as to whether or not they have the appropriate risk profile and that they have the appropriate protections as it relates to cyber.'' - Martin Davis, director, South State Corporation
To strengthen the cyber risk expertise of your board, Davis recommends looking beyond titles. ''Boards should be attracting leaders with multiple skill sets and multiple experiences,'' Davis said, citing his own background in M&A and divestitures, operations, and leadership as well as cyber. ''Hire a leader, hire a technology professional, hire someone with great experiences. You need an individual who can fill multiple gaps.''

He also noted it's important to manage expectations, especially given cyber complexities and constantly evolving threats. ''Nobody, even an individual as experienced as you are, is going to be able to get their arms around cyber,'' Kerstetter said to Davis. ''You are going to know some good questions to ask, but the expectation that you're going to solve the cyber problem for a company? It's just not realistic.''

Davis highlighted the importance of informed questions-and the ability to evaluate answers.

''The first thing I do on my board is I sit down with our CISO, and I sit down with the CIO. I want to make sure they know their stuff,'' Davis said. ''So I'm asking them questions I have from 35 years of experience to see what kind of answers they're bringing back.''

If additional insight is needed, don't hesitate to look beyond the board, Davis advised. ''Hire an expert to either do a penetration test or a review of the cyber capabilities of the company,'' he said. This gives the board both a comfort level as it relates to the firm's cyber capabilities and the confidence that they've conducted their appropriate due diligence in upholding their fiduciary responsibilities.

Be prepared-and beware of social engineering

''I think the main risk is companies won't respond appropriately when they have a situation. We put together plans, but do we execute the plans when something happens?'' - Martin Davis, director, South State Corporation
Given the rise of state-sponsored cybercrime and groups that hack systems for their own challenge and enjoyment, Kerstetter asked Davis what risks worry you the most when you think about the future? Kerstetter asked Davis. His response: the risk of a company not responding appropriately when a situation does happen.

The first stages after a cyberattack are usually filled with confusion and uncertainty. Often companies aren't even sure they've been hacked. They need to pull out the playbooks they created in calmer times and execute those playbooks, Davis said. Such preparation includes segmenting your network, so if one device gets hit, it can't penetrate the entire network.

Companies also need to educate staff-and the board-about social engineering. With this type of cyberattack, criminals manipulate employees into breaking normal security procedures and best practices to gain access to systems, networks, data, or physical facilities.

Given today's threat environment, you can't remind people frequently enough of the dangers of social engineering, plus tactics for avoiding it, Kerstetter and Davis agreed.

''We can put all the technology in the world in place, but if someone gets socially engineered by giving up credentials or other information, you bypass all that technology,'' Davis said.