In the ever-evolving landscape of cybersecurity, the role of boards in overseeing and mitigating cyber risks has become increasingly crucial. Athena member Yvonne Wassenaar, seasoned tech executive and CEO with a background in software engineering, sheds light on the cyber challenges faced by companies today. Currently serving on the boards of Arista Networks, Forrester Research, JFrog, and Rubrik, she shares critical insight into the board’s role in addressing cybersecurity concerns and shares how she brings her technical expertise to the boardroom to make an impact.

Cybersecurity’s Ascension to the Forefront

Over the past five years, we’ve witnessed a significant shift, with cybersecurity moving to the forefront of corporate priorities. The global shift to virtual work during the pandemic and the subsequent adoption of hybrid work models have expanded attack surfaces, making it easier for bad actors to infiltrate and wreak havoc. High-profile breaches and ransomware attacks have underscored the importance of treating cybersecurity as a critical business risk, warranting attention at the board level.

“What has been challenging for many boards to get their arms around is the sheer increase of topics and conversations that need to be handled at that governance layer,” Yvonne says. She outlines the strategic approaches taken by the boards she serves on to address cybersecurity challenges: Firstly, there is a focus on ensuring that the board possesses the necessary technical expertise. This involves either bringing a seasoned Chief Information Security Officer (CISO) on board or upskilling existing talent on the board. In non-technology boards, there is a recognition of the need for technical expertise, and Yvonne plays a role in providing that insight. Secondly, there is an emphasis on deepening and broadening the discussion of cybersecurity at the board level. While audit committees traditionally handle these discussions, the evolving nature of cyber threats necessitates broader awareness across the entire board. Cybersecurity is no longer just an audit committee topic; it has become a matter of concern for the entire board, requiring collective oversight.

Educational Initiatives and Board Cohesion

As cybersecurity becomes increasingly complex, boards are grappling with the challenge of addressing the talent gap. Yvonne says it’s important to have a mix of expertise on the board, and acknowledges that expecting every member to become a cybersecurity expert is unrealistic. “There are just not enough hours in a day for the entire board to be experts on everything and to discuss everything in great depth. And so I do think it’s important for boards to be thoughtful and strategic in how they structure, educate, and execute on these various topics.” 

She believes educational initiatives for board members are becoming more important. While not everyone may undertake a comprehensive cybersecurity course, there is value in having at least a few individuals with in-depth knowledge. The goal is for the entire board to be on the same page, with some members undertaking specialized courses and others engaging in focused reading or white paper reviews. Considering the vast array of responsibilities boards handle, they need to be strategic in their approach to managing various topics. This includes divvying up responsibilities, upskilling, and ensuring a cohesive understanding of critical issues like cybersecurity.

Measuring Success in Cybersecurity Oversight

Measuring success in cybersecurity oversight involves understanding the critical aspects of the business and identifying high-risk areas. Yvonne advises boards to focus on what is most critical to the business’s functionality and where the highest risks lie. She says, “it’s really important you understand: if your company stores PII data, then you need to make sure that’s being treated and protected appropriately. If I worked for a company that held a lot of organizations’ financial data in the cloud, and if that were somehow breached and people could get information about companies’ financial data prior to an earnings release, they could manipulate the markets, that would be very bad.” 

Metrics should then be developed to assess the maturity of cybersecurity policies, track vulnerabilities, and evaluate the effectiveness of protective measures. Boards must recognize the need for a holistic viewpoint on cybersecurity and that it’s an ongoing, maturing process. The board’s role extends beyond achieving zero vulnerabilities; it involves managing risk thoughtfully, considering the return on investment against probabilities and potential damage.

In a world where cyber threats are pervasive, boards are under more pressure to navigate the complex terrain of cybersecurity. As technology continues to advance, maintaining adaptability is crucial to stay ahead of cyber threats and safeguard the interests of the organizations they govern.

Athena Alliance -

The Athena Alliance is a community that propels leaders to build impact—in the C-suite, in the boardroom, as an investor, as an entrepreneur, as a thought leader and beyond.