The role of the Chief Information Security Officer (CISO) has evolved considerably in recent years. So much so that in many organisations CISOs now regularly consult with the CFO, CTO and CEO on security strategy, cyber risk, and how to approach digital transformation. However, while some CISOs have been given a seat at the table on many executive boards, this hasn’t been the case everywhere.
In the past, digital security was a high priority for highly regulated industries such as banks, insurance companies as well as utilities and public sector organisations. But the recent and rapid escalation of online channels in the wake of the global pandemic has made companies in every industry sector a potential target for cyber criminals. This means C-Suite executives need to be fully informed and educated on the preventative steps that need to be taken – and why.
This can prove problematic in instances where the CISO-board relationship is broken, or CISOs don’t have a voice on the board, or the executive board views cybersecurity as primarily an IT matter. To get the right funding and support, CISOs will need to bridge the communications divide and make it easy for the board of directors to understand what’s at stake and why.
When looking to win hearts and minds, CISOs will need to focus on four key things to get their message across.
1 Building a top-down cybersecurity culture: we’re all in this together
Ultimately, CISOs need boards to take an active role in cybersecurity policies and awareness. That includes ensuring all parts of the business are unified and operate as one in pursuit of a common goal: understanding and mitigating cyber risk.
In many cases that will require the conversation to shift away from a purely technical focus to assessing and benchmarking the overall cyber maturity and preparedness of the organisation. That should include understanding which employee groups are most vulnerable, how many people have privileged user rights, and what happens if business units or users fail to pay attention to the risks that come with digitised operations.
The board will need to be fully behind initiatives that will ensure the workforce undergoes continuous training, from the moment a new employee is onboarded. It will also need to support the undertaking of regular risk assessments, together with phishing exercises that will help ensure employees stay vigilant and alert.
2 Getting to grips with realistic metrics: understanding the state of play
Reporting on how many advanced persistent threats the organisation’s cybersecurity teams have successfully blocked each month can lead to complacency among board members or the mistaken belief that what’s in place is working perfectly adequately.
What the board needs to see are detailed insights that highlight the scale of the threat mitigation challenge as cyber criminals continue to hone and evolve their tactics. If board members are to balance return on investment in cybersecurity against other business goals, they’ll need to know the nitty-gritty of what’s going on at the cybersecurity coalface. That includes receiving details on:
- Cyber threat dwell time – how long an adversary was in the organisation’s system before being discovered
- Patching and vulnerability metrics – how long it took for teams to fix an issue or roll out a patch for vulnerability
- Actual threat volumes – the number of incidents that were identified and remedied
- Mitigation – the impact resulting from the roll-out of initiatives like multi-factor authentication or a phishing awareness exercise, or a new security solution.
Sharing this kind of data will focus board decision making on where investment needs to be prioritised and whether there is a pressing need for more spending to tackle security basics like updates, authentication, system access and configuration.
3 Benchmarking our capabilities: where are we in the cybersecurity maturity cycle?
It takes time to build and develop a robust cybersecurity programme. Ensuring that the board understands where the organisation is today in terms of control maturity is the essential first step for developing a strategy that will improve security effectiveness over time.
Benchmarking against recognised standards and frameworks such as NIST, CIS 20, and ISO will ensure that the organisation’s cybersecurity strategy and goals are correctly assessed against current and emerging cyber risks. It is also key for targeting and focusing effort on ensuring that security controls are aligned to key strategic business goals.
4 The need for appropriate investment: are we spending enough?
Today’s hyper-connected operational reality means that organisations need to ensure they don’t skimp when it comes to their cybersecurity budgets. According to ISG Research, enterprise cybersecurity annual spend per user jumped by more than 40% between 2019 and 2020.
While no organisation has a bottomless budget for implementing the latest technical solutions alongside robust processes, failing to adequately invest in cybersecurity will expose the business to significant risk.
Organisations with outdated technology will have weak or inadequate visibility of their environment that leaves them blind to threats targeting their data. Similarly, failing to invest in cybersecurity professionals who are tasked with security of the company and its data means the organisation will be unprepared for when the next cyber incident occurs. Finally, a failure to understand the importance of appropriately funding the organisation’s cybersecurity programme can lead to business decisions being made without considering how these will impact IT teams and the wider security posture of the organisation.
It’s time to talk
Today’s CISOs need to be advocates for good information security and that means communicating clearly how cyber risk can impact the goals of the wider business.
Educating the board so it can make informed decisions begins with equipping the leadership team with meaningful insights that will resonate commercially. This ensures the senior management team can act as one to manage the inevitable tensions between usability, security, and costs that arise when organisations systematically prepare their digital defences to handle today’s rising threat landscape.
By demystifying cybersecurity, board members can engage and bring their experience to bear. However, CISOs also need to be prepared to enter conversations armed with facts that will make it easier for the C-suite and board members to make security-centric decisions that will be critical for months and years to come.