Abstract

After attending corporate board meetings for approximately 85 different Fortune 500 organizations and listening to CEOs and CISOs discuss cyber risk in supply chains and after then meeting with many of them personally we came away with three primary takeaways First the main cybersecurity interest of most upper-level managers is primarily in avoiding major negative consequences i e Black Swans to their firms Second over 90 of corporate board members we have met with are either neutral or not confident with their security program s effectiveness But finally and of major concern to us was the observation that CISOs primarily tell their boards anecdotes or stories and they do not present boards with any substantive and specific direction to avoid supply-chain cyber loss We believe this is unfortunate because based on a different set of experiences we have had namely performing several thousand forensic studies including about one thousand for the U S Secret Service-most with about 100 page or more reports we believe corporate boards can take specific reasoned actions and thereby reduce significantly their organization s exposure to and subsequent losses from supply-chain cyber-attacks