President Biden called for companies to raise their cyber defenses this week as the risk of attack from Russian hackers increases. Of highest concern is critical infrastructure like communications technology and electricity. But in the digital age, pretty much every industry and company has some sort of vulnerability to cyberattacks, even if they might not know it.
We’ve got a shortage of cybersecurity professionals in this country, including at the highest levels of many companies and the boards that oversee them, which can make for some big cyber blind spots.
There are about 400,000 unfilled positions in cyber security in the U.S. according to the trade group ISC(2), and that’s likely an undercount, according to CEO Clar Rosso.
“That is only the organizations that have prioritized cybersecurity staff,” Rosso said. Many companies, particularly small and medium-sized ones, still don’t know what they don’t know.
According to a report from IT service firm, Navisite, almost half of companies don’t have a dedicated chief information security officer.
Today’s Supreme Court decision is about more than the EPAJun 30, 2022
How one state is prepping to be a haven for abortion accessJun 29, 2022
It’s a flipper’s marketJun 28, 2022
They can be tough to hire, said Todd Thibodeaux, president and CEO of the Computer Technology Industry Association.
“They’re probably already working for other people. So if you can’t find someone in the market, nurture someone on your team into that role,” he said. People in other tech leadership roles can be trained on cybersecurity fundamentals through certification programs.
But first, company boards need to step up, according to Friso van der Oord, Senior Vice President of content at the National Association of Corporate Directors.
“Boards should be comfortable challenging management on how well this particular risk area is managed,” van der Oord said.
He said only 4% of directors for the biggest U.S. companies on the Russell 3000 Index have the cybersecurity expertise needed to do that challenging. “That’s an enormous gap.”
This week the Securities and Exchange Commission proposed a new set of rules that would require public companies to disclose whether they have cyber security experts on their boards, and what their strategies are to manage the risks.