A Look Back at the Role of the Board around Cybersecurity Oversight

There is something of a governance malpractice in bringing in a new expert for every problem the Board may encounter

I am not sure what to make out of this recent report from Diligent and BitSight.

It is interesting by the size of its sample (in excess of 4,000 organizations world-wide) and its focus on Board oversight, but the bulk of the commentary in the cybersecurity media has been on a possible correlation of its results with total shareholder return (TSR), something that could be challenged, in my opinion.

Some commentators — and the report itself — appear to suggest that it is a higher level of cybersecurity maturity that leads to higher TSR.

My view is that it flows the other way: Good mid to long-term TSR reflects good management; good management encompasses good governance and good risk practices, something that extends naturally to the cybersecurity space. For example, it is not surprising to see in the report that firms with a more structured degree of cyber risk oversight return higher cyber maturity scores (as measured by the Bitsight index); all this forms part of the same trend towards good management practices: Good management — overtime — leads to good security.