In our increasingly interconnected world, the Internet of Everything
is making trust a critical element of how people use network-connected
devices to work, play, live, and learn. The relentless rise in
information security breaches underscores the deep need for enterprises
and governments alike to trust that their systems, data, business
partners, customers, and citizens are safe.
Consequently, I see an evolution taking place regarding
accountability in cybersecurity moving up to the boardroom level, an
issue I discussed earlier this year in Fortune. In a recent Information Systems Audit and Control Association
(ISACA) report, 55 percent of corporate directors revealed that they
have to personally understand and manage cyber as a risk area. The
National Association of Corporate Directors recently published a
document on corporate directors’ ownership and management of risk in
cyber for public companies. In March of this year, an SEC commissioner
said that the SEC plans to create a requirement for corporate directors
regarding managing cybersecurity as a risk.
Frankly, it’s about time. In today’s cyber economy, every company is
an IT company. Accountability in this risk area for businesses needs to
uplevel all the way to the C-suite. Security really is everyone’s
business – something Cisco has been saying for years – and it is now
clear that it is everyone’s responsibility as well, not just those with
the word “security” in their title or job description. Corporate boards
of directors across all industries will begin to ask tougher questions
about the security controls that their organizations have in place, and
those organizations will need answers. So when I think about the future
of cybersecurity, part of that future includes greater engagement in the
boardroom.
CISOs need to prepare for this increased level of responsibility by
instituting a set of risk controls. This heightened attention will bring
about a maturation and evolution of cybersecurity like nothing else
ever has. I believe that we will see substantive changes in the next
year, both in the U.S. and abroad, in how corporations will manage risk
and cybersecurity. We need it now.
Cisco is committed to this issue by further investment in the Cisco
Security and Trust Organization. The Security and Trust Organization’s
charter is to meet customer expectations regarding trustworthy product
development, secure solutions delivery and corporate responsibility. The
organization will have corporate-level responsibility for customer data
protection, secure processes and compliance. In short, we will continue
to be laser-focused on the security of our customers, our products and
our company.
I recently posted a video blog discussing the importance of
cybersecurity transparency and accountability to the board. Please let
me know your thoughts in the comment section.
