CISOs & the Board - Why Cyber Security Needs a Seat at the Table
Chief Information Security Officers (CISOs) are tasked with many challenges, but arguably the biggest headache of the role surrounds getting that elusive board buy-in.
With responsibility for a company's information security falling to CISOs, those struggling to achieve this all-important buy-in see their company a ground for cybercrime and security vulnerabilities. An issue which circles back to leave CISO’s ultimately responsible.
This board disconnect filters back to a disconnect in knowledge with C-suite executives simply failing to align cyber security to top and bottom-line relevancy. With such expertise lacking, it is understandable why governance and oversight is insufficient and cyber security suffers. Genuine board buy-in trickles down from cyber security being redefined as a strategic, business-critical conversation.
With expertise lacking, some CISOs perceive company boards to undervalue security because of their inability to link cyber security to the wider strategic business function. When surveyed, only half of CISOs perceived their managerial departments to value security teams “from a revenue and brand protection standpoint”. Eighteen percent admitted to feeling like their security team was an inconvenience or even irrelevant in the eyes of their board. Given these perceptions it is understandable why only 37 percent of boards give CISOs a seat at their table.
A shift in perception is needed. Yet, such shift will only occur when the C-suite is educated and informed. CISOs have seen the best success when boards are proactively interested in learning cyber security’s value, knowledge gaps are closed, and a two-way dialogue is opened.
Yet, blame cannot fall solely on the board. CISOs need to step beyond their technical comfort zone to educate themselves on wider business practices and how to most effectively relate cyber security to the profit and risk drivers of the wider business. With almost half of board meetings focusing on strategy and performance management, this creates a perfect foundation for CISOs to focus on. CISOs found to best connect with their board reshape security-related information, whether that be external incidents or internal performance, into narrative-driven reporting that draws in wider business focus and financial and operational risk.
Through this reporting focus, which ties to wider risk management, finance and compliance considerations, value is inherently created for the board. By switching from technical jargon to board-relevant reporting, board members are best engaged.
Finally, communication with the C-suite and senior management must go beyond the board room. Open, personalised relationships both manage expectations and further prove CISO credibility. For example, CISOs should continually engage with the Chief Financial Officer (CFO) about financial matters or discuss operations in relation to cyber security with the Chief Operations Officer (COO).
Overall, the drive for meaningful, metric-driven information has proven to best capture board interest. Whether measuring financial risks or cyber security performance, the board demand all aspects of the business are objectively quantified in the same way.
As businesses progress further into the technological age, the influence of cyber security on the wider organisation is becoming undeniable. As a result, the move beyond surface level board interest must be replaced with an open seat at the table for the CISOs. In an ideal world, boards will be reshaped with the traditional cyber security silos replaced by an aligned and collaborative front.