Bringing the boardroom to the cyber battlefield

In early 2020, an extremely sophisticated group of hackers pulled off one of the most widespread cyberattacks in history. Believed to be working for the Russian government, they infiltrated the computer systems of an IT management software developer called SolarWinds and embedded malicious code into the company’s line of monitoring tools.

By June, the malware had given the hackers access to the inner workings of hundreds of federal agencies and Fortune 500 companies. By the time the hack was detected, the group had had months to spy on government and corporate operations.

For both the public and private sectors, the incident served as a wake-up call to a steadily escalating threat. Cyberattacks are as old as the internet, but in the past several years they have become more sophisticated, insidious and destructive. While direct reported losses from cyberattacks are small, around $500,000, the International Monetary Fund recently reported that the risk of extreme losses — at least as large as $2.5 billion — has grown.

Given how high the stakes are, the responsibility of protecting a corporation from cyberattacks falls upon its highest-ranking members: the board of directors. A crucial part of its job today is gauging if the right culture and governance are in place to safeguard the company’s systems from cybersecurity threats, and they need a nuanced understanding of cyber risk to do that.

“Boards have to be financially astute, of course, but they need to be cyber astute, too,” says Ron Green, Mastercard’s Cybersecurity Fellow and former chief security officer. “They face that challenge every day, whether they know it or not.”

However, that level of expertise is rare among directors. Only 12% of S&P 500 boards include a cybersecurity specialist, says Kimberly Cheatle, the director of the U.S. Secret Services, citing a 2023 study by NightDragon, a venture capital firm that funds cybersecurity companies, and Diligent Institute.

To help directors protect their companies — and their fellow citizens — from cybercrime, Mastercard has developed a training course, the Cybersecurity Board Academy, in collaboration with the U.S. Secret Service, Cybersecurity and Infrastructure Security Agency, the National Association of Corporate Directors and NightDragon. “This is a really unique opportunity to start closing that gap,” Cheatle says.

The first session of the CISA and Secret Service Board of Directors Academy, which was held Tuesday at the Secret Service’s James J. Rowley Training Center in South Laurel, Maryland, brought together corporate directors and industry experts to explore the state of the art in digital network protection.

Ron Green, Mastercard's Cybersecurity Fellow, addresses corporate directors attending a training session on cyber risk and resilience in Maryland earlier this week. (Photo credit: Rebecca Abraham)

“We wanted to make sure that we were strengthening that connectivity,” says Jen Easterly, CISA’s director. The private sector, she says, “obviously shouldn’t be expected to face down sophisticated nation-state actors alone. So it does put a real premium on increasing and strengthening the connectivity between the public sector and the private sector."

Working together to protect national infrastructure

In an increasingly interconnected world, cybersecurity must be a team effort. So Mastercard and its partners invited directors from Fortune 500 companies and many representing critical U.S. infrastructure to learn firsthand from government and industry experts. In a curriculum informed by the NACD and the Internet Security Alliance’s principles for effective cyber risk oversight, participants discussed threats, governance, protection and resilience, building a foundation of best practices for ongoing cyber defense.

In these attacks, damages can ripple far beyond the financial, with criminal and state-sponsored actors mounting espionage campaigns or attempting to disable critical national infrastructure. No institution is off-limits. Hospitals, school systems, medical research labs, state and local governments — all have become targets. And, because much of the U.S.’s infrastructure is owned by private entities, the business sector plays a crucial role in civil defense.

“Figuring out ways to be vigilant about this on behalf of our companies — on behalf of our country — is essential to what we do,” said Stephen Jennings, an independent director at chipmaker Analog Devices, who was among the 16 directors who attended the inaugural session. “We’re getting a better understanding of enforcement capabilities, the latest trends, the latest risks.”

The program is also forging an ongoing public-private partnership, so participants can continue to learn from each other and stay ahead of threats. Board members can tap into a widening network of cybersecurity expertise, while CISA and the Secret Service have an avenue for feedback to fine-tune their messages for the broader private sector.

“Cybersecurity has to be a collective effort, and now we can have more give and take between industry and the public sector to attack it going forward,” Jennings says. “The threat is not going away anytime soon. This is going to be an ongoing fight.”