It used to be the case that chief information security officers (CISOs) seemed out of place in the boardroom. But if the last several years have shown us anything, it’s that their place is more than necessary.
However, communication between the CISO and the rest of the board isn’t always straightforward. Technicalities may get in the way and CISOs may have a hard time communicating the imperatives of security and risk management in a way that engages and convinces the rest of the board. In the long run, that may lead to less prioritization of security needs and greater exposure to threats.
Following are several important points that frequently are left out or communicated poorly between CISOs and the board, to the detriment of companies. Here’s what you need to tell the board, and how you might do that!
Communicate the need for a robust cybersecurity budget
When it comes to adequate cybersecurity, there’s no room for making savings. Of course, as a response to the changing threat landscape, IT spending and particularly cybersecurity budgets have grown over the years. However, there’s still a tendency for companies to provide the bare minimum which opens the door to all kinds of problems down the line.
Here CISOs have the responsibility to communicate the importance of a reasonable but reliable cybersecurity budget. Failing to provide for adequate security can end up costing much, much more. Take for example the growing ransomware industry and the ransom being collected on average these days. In 2021, the average ransom had increased tenfold, compared to the previous year, and was estimated at $570,000.
For this reason, CISOs must build a strong and convincing case for securing a budget that helps them do their job efficiently and thoroughly.
Explain how cybersecurity is a company effort
The cybersecurity team’s efforts are frequently understood in a disjointed way, as if separate from all the rest of what’s going on in a company. This could not be further from the truth and is one of the messages that CISOs need to bring to the boardroom table.
Cybersecurity must be reframed in organizations and understood as a shared responsibility and effort. It’s not just that the cybersecurity guys clean up the mess - everyone plays a part in averting the mess.
However, to communicate this clearly, CISOs need to draw the board’s attention to the importance of value creation through the digital business system. They must then highlight how cybersecurity efforts and the risk management program are designed to protect this value creation - not as an afterthought but as part of the overall strategy of value creation.
I.e. instead of working at the event level and focusing on averting the next threat, boards must understand that cybersecurity permeates all digital operations, all of the time, and is linked to all other types of business problems.
Educate the board about the company’s security posture and framework
When CISOs speak, it can sometimes seem like they’re from another planet which can lead to confusion, exhaustion, and inability to take action on the side of the board. This means that they need to find a way to communicate the security posture, strategy, and threat level in ways that are concise and comprehensible.
For example, when delineating the security posture and threat level, it’s often a waste of time to get bogged down in all the specific security metrics or how many attacks have been averted. Depending on the framework that you have adopted, you may have hundreds or thousands of controls that you are monitoring and measuring. Presenting these in great detail is likely to lead nowhere.
Instead, CISOs may want to reduce their presentation to five main pillars - products, infrastructure, detection response, people, and governance, and inform the board how the company is doing in any of these areas. Then, if needed, greater detail should be provided - but unless CISOs help educate their peers over time, their presentation on the company’s security posture will likely have a limited impact.
On a more abstract level, CISOs must also introduce and educate the board about the need to be aligned and compliant with a specific security framework or methodology. Whether it’s NIST, ISO 27001, SOC2, or something else, adopting and adhering to a framework helps develop cybersecurity maturity over time. Why and how this matters, and what it does for the company, must be part of the conversation.
Show how cybersecurity is creating positive change
It’s not all threats and frameworks - occasionally it’s good to also highlight the results of your efforts. Focusing strictly on what’s wrong or what could go wrong, what the status of the security stance is, etc., can stop CISOs and the board from seeing the forest from the trees, and what the point of all of this is.
Unfortunately, all too often this is left behind but highlighting successes is not just vain boasting - it helps with building the business case for why security matters. Moreover, it also helps demonstrate how business value is generated in a number of ways, reinforces cooperation within the board, and helps build a more unified company.
So when extreme events hit, and your ship remains afloat - make sure to highlight what you did right, and how it worked!
Partner with AMATAS to cover all your CISO needs
With the overall lack of cybersecurity professionals on the market, CISOs are also often hard to come by. Alternatively, for some companies, a full-time CISO may not be necessary or may be too much of an investment but they could still benefit from the expertise and experience of such a professional.
Our Virtual CISO service can provide you with the leadership needed to address your cybersecurity needs proactively and strategically, create a safe digital workplace environment, and turn your current security operations into a business-enabling and driving force.
Want to know more? Get in touch and let’s discuss how AMATAS can help!