Look at the list of biggest data breaches of all time, and you’ll see some major players: LinkedIn, Facebook, Yahoo, Starwood (Marriott), Twitter, Equifax, Kaseya, SolarWinds, JBS, Colonial Pipeline, Uber, Zoom, CAN Financial, Capital One. The list goes on and on.
When hackers and malicious entities penetrate the applications, systems, and servers of such companies, they often gain access to highly sensitive information—including intellectual property, trade and product secrets, and confidential financial data as well as clients’ and users’ names, email addresses, social security numbers, date of birth, chat and email transcripts, driver’s license numbers, passwords, phone numbers, bank account numbers, locations, and personal details such as marital status and sexual orientation. The damage to the vulnerable company’s finances and reputation can be devastating.
In today’s hyperconnected world, every organization is a target, and every organization bears the responsibility of protecting itself against cyberattacks perpetuated by individual criminals and nation states alike.
However, preparing for what seems like a possible, probable, or perhaps even inevitable future attack is difficult. After all, CEOs, CFOs, COOs, and most board leaders are rightfully focused on making the business better. They’re not spending each and every moment of their workday studying emerging trends in information security and how to prevent data breaches. That’s why Raj Badhwar is advocating for chief information security officers (CISOs) to be included on corporate boards.
Unlike other leaders, CISOs do spend all their time thinking of better ways to prevent cyberattacks, and Badhwar says that adding one to a corporate board is the best way to fully represent the interest of shareholders. Badhwar himself is a field CISO at Oracle, where he advises customers on end-to-end cloud security and compliance with privacy and security regulations.
He studied electrical engineering at Karnatak University before earning a master’s degree in information systems technology from George Washington University. He also has necessary certifications such as CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker). Badhwar has developed expertise in the management and delivery of cybersecurity and IT services and has built innovative, resilient security programs from the ground up. His current research interests include the usage of artificial intelligence and machine learning in cybersecurity, post quantum cryptography, and seamless zero trust security.
Badhwar is also preparing himself to serve on a corporate board. He certainly has the credentials and experience. The veteran CISO has led IT and cybersecurity for some of the largest firms in the world, including AIG, Bank of America, BAE Systems Inc., and Voya Financial. In doing so, he’s managed large, diverse, and global teams. He had top-secret clearance from the US government while working as a defense contractor and has also coauthored fourteen security patents, authored three cybersecurity books, and cocreated one cybersecurity audiobook. Last, but certainly not least, he has cultivated robust experience as an advisory board member (he currently serves on the customer advisory board for Venafi and on the CISO advisory council for Infosys) and as a board member for key nonprofits in his space (he is a board member and the secretary of the National Technology Security Coalition and also serves on the CXO Trust Council for the Cloud Security Alliance).
Badhwar’s efforts to advocate for CISO inclusion on corporate boards get easier every time a new breach dominates the headlines. “If you don’t have someone technical who can judge the risk from advanced cyberattacks, you won’t be ready, and there are so many attacks that create millions of dollars of loss that not being ready is simply not an option,” Badhwar says. As he explains, companies need a CISO board member who has visibility, leverage, and access to other board members.
Badhwar is confident he and his counterparts in other organizations can share their security knowledge and explain to corporate boards how to efficiently implement cybersecurity best practices. Even in today’s threat landscape—where cyber risk runs high and bad actors spread advanced malware and launch ransomware, distributed denial of service (DDoS), and other attacks—there has not been a single breach or regulatory enforcement action on networks for which Badhwar was responsible.
While playing defense and managing cyber risk is important, companies also stand to profit from partnering with effective CISOs, Badhwar notes. He is interested in helping companies “create secure products and services, and cybersecurity-as-a-service-offering-based revenue streams.”
But identifying new sources of revenue is far from the only opportunity that boards can unlock by partnering with CISOs, Badhwar says. CISOs can also help introduce bias-free IT style guides; support minorities, veterans, and individuals with special needs or other disabilities; and educate executive leaders on ways to reduce risk.
When threats emerge or incidents occur, the CISO can help the board identify the causes, mitigate damages, respond appropriately, and communicate with regulators. A CISO board member, Badhwar notes, brings an unparalleled understanding of the overall regulatory landscape. He or she can prioritize financial investment in the organization’s cybersecurity program and also discuss relevant risks associated with mergers, acquisitions, and divestitures.
Today, Badhwar is more determined than ever to convince business leaders of the need to include CISOs on boards. The frequency and severity of data leaks and data breaches are on an upward trajectory, and no business is immune. Sole proprietorships, small start-ups, and Fortune 100 companies all use data centers, cloud-based systems, smartphones, and other digital tools. And in a hybrid work environment where workers need remote access, attacks can happen anywhere and at any time.
Gone are the days in which those responsible for protecting companies can outsource cybersecurity, install antivirus programs, cross their fingers, and hope for the best. Every company needs to stay diligent. Every company needs to raise internal awareness. Every company needs to hire the best IT leader. And in the words of Raj Badhwar, every company needs a CISO on its board of directors.
Thoughts from Guest Editor Michelle Collins
Cybersecurity is one of the top concerns for companies and corporate boards today. Companies that suffer a major cybersecurity or privacy breach face possible regulatory fines, reputation challenges, and economic consequences, among other issues. Raj’s experience with cybersecurity—combined with his knowledge of risk management and governance issues—should therefore make him highly sought after as a prospective board member.
Current knowledge of cybersecurity is critical since this is an area in which the latest methods are always changing. The network of colleagues Raj has will be of great value to a board to the extent that conflicts do not prevent access.
A board member with cybersecurity experience could assist a corporate board in forming a plan in case of a cybersecurity incident—an emergency plan, with action plans (and guidance for technology, legal, and insurance providers) for board members, management, and service providers. It is important to note that a board member is not the person that will actually dig in and lead the response effort, or even be on the remediation team. Rather, in a board oversight role, the cybersecurity board member would help refine the plan, ensure it is up-to-date, and help oversee the governance of the remediation.