Student Profile
Bethany Mayer
Former CEO: Ixia (Acquired by Keysight Technologies); Independent Board Director: Box, Lam Research, Marvell Semiconductor, Sempra Energy
Class of 2022
“I have noted that many board members have limited or no experience in cybersecurity and as a result are unable to ask questions necessary to truly understand the risks facing their companies…Much of the regulatory information and discussions (in the MS CRS program) have directly tied to my experiences in the boardrooms with management and other board members.”
Filling the Gap in Cybersecurity Experience on Company Boards
Company boards of directors typically include at least one financial expert. When it comes to cybersecurity, not so much. Bethany Mayer, a 30-year tech veteran, former CEO of Ixia and alumna of Apple, Cisco, HP, and Blue Coat, among others, said, “I have noted that many board members have limited or no experience in cybersecurity and as a result are unable to ask questions necessary to truly understand the risks facing their companies.” It’s time that a board seat goes to a cybersecurity expert as well. “Much like a financial expert, a cybersecurity expert would be able to ask probing questions and understand the language of the CISO to aid the board in understanding how vulnerable the company is.”
Mayer, who is currently serving on four public company boards and two private company boards, has a bird’s eye view of the urgent need to prioritize cyber defense. “The threat to both the US population and companies is ongoing and only growing in potential damage to property and human lives. The amount of attacks and kinds of attacks are escalating every day. I am concerned about companies who without demands from their boards would be vulnerable to attacks. Many companies are worried about ESG as an issue currently – and rightfully so – but cybersecurity risk is also a critical issue companies and boards must address.”
Understanding Technical, Regulatory and Legal Issues in Cybersecurity
Motivated to better her own expertise, Mayer chose NYU’s MS in Cybersecurity Risk & Strategy program because of what she calls its “unique confluence of technology, policy, and law that really helps me understand both the technical issues and the potential regulatory and legal liabilities facing companies.” Just within the first six months, “Much of the regulatory information and discussions have directly tied to my experiences in the boardrooms with management and other board members.”
As part of her capstone project, Mayer is surveying board attitudes around the issue and reported that while awareness is critical, increasing an organization’s cybersecurity capabilities takes more than board awareness. For one thing, she said, there must be “a strong understanding that knowledge is necessary at all levels of the company in order to lower cybersecurity risk. Every employee, board member, and executive must receive ongoing training to understand what the threats are and what to do when attacked. All board members must know what the plan is when an attack occurs and understand their responsibilities as well as the liabilities for the company and themselves. Tabletop exercises are excellent ways to rehearse what a board would do in different situations, and full board training should be at least a twice-a-year occurrence, because the attacks change constantly.”
Prior to an attack occurring, she added, the company must ensure that there are enough funds to protect it, its employees, and customers from a potential breach, whether for training purposes, technology, processes, or insurance. “It is unnerving to know the ease with which an individual or a group can attack an entity and the work it takes to lower security risks to be able to limit or thwart an attack when one occurs…and they will occur. Heightened focus by the board and investment by the company, given the industry the company is in and the kinds of threats it faces, is critical to assure that the risk of attack is as low as possible and if an attack occurs, damage is understood quickly, limited and disclosed appropriately.”