Evolving conversations: Cybersecurity as a business risk
Board members often lack technical expertise and may not fully grasp cyber risks. On the other hand, CISOs are more accustomed to interfacing with IT staff. This is understandable; the board is responsible for guiding high-level decision-making. They rarely become involved with the details, leaving implementation plans and technical audits for the CISO to handle.
The solution is effectively integrating the CISO into the C-suite and forming a collaborative relationship with the board. By using simple and concise language, the existing knowledge gap can be addressed. There is also a need for CISIOs to convey the gravity of threats in a manner that highlights the risks and the appropriate level of response required.
Considering the above, this article examines the current relationship between the CISO and the rest of the board and best practices for navigating conversations with the board when discussing cybersecurity priorities. With cyber-attacks posing major financial and reputational risks, strong CISO-board collaboration is critical, and CISOs must hone their skills.
The CISO-board disconnect
According to a Proofpoint report, roughly 53% of board members report having regular interactions with their cybersecurity experts. This leaves about half of all boardrooms lacking a strong, distinct CISO perspective in their decision making. Frequent collaboration between the CISO and the rest of the board is vital to building trust and rapport as it guarantees that relevant cybersecurity concerns are being brought up with the right people and being addressed in a timely manner.
There are also certain gaps in perspectives on the application of cybersecurity strategies and resource allocation between security experts and other C-suite executives. The Proofpoint report also suggests that while CISOs cite insider threats, email fraud, and business email compromise as major concerns to be addressed, the rest of the board do not share that view. For the board, ransomware and cloud compromise are threats that take top priority. Additionally, board members’ concerns around security incident consequences focus on internal data becoming public as well as reputational damage in the case of a hack, whereas CISOs are more worried about disruptions to operations that a hack could bring.
There is a disconnect between the board and their CISO about priorities. The board is focused on reactive security, whereas CISOs are more concerned with proactive prevention and mitigation. This gap can be bridged through a shift in conversation where cybersecurity is perceived as a defense mechanism rather than as an opportunity for business growth. Given that the CISO is the expert in the field, it is up to them to lead that shift.
The investment conversation
Business leaders have begun to understand that cybersecurity is crucial, but its importance is not always clear to those controlling budgets and making decisions. Communicating cybersecurity’s value and potential impact in a compelling way is key to getting leadership buy-in and securing the resources needed for an effective security strategy.
To make the most informed cybersecurity investment decisions and optimize return on investment, CISOs need visibility into performance trends over time. By consistently tracking and analyzing relevant data, CISOs can better understand the real-world effectiveness of their current security tools and pinpoint opportunities for improvement. Crucially, this data-driven approach also enables quantification of ROI against threats that were avoided, providing a more complete picture of overall security impact that is often overlooked. Taking a data-centric view ensures cybersecurity spending is optimized and aligned with maximum defensive value.
A challenge that CISOs may face in this endeavor is the vast array of cybersecurity products and data that is now available to them. With endless options to evaluate, determining the potential value and ROI of each solution may prove difficult. Uncertainty regarding which product to invest in is bound to lead to hesitant investing due to the struggle to quantify how the new products will improve security maturity.
In 2022, enterprises allotted 9.9% of their IT budgets for cybersecurity on average. However, in industries like tech and healthcare, CISOs report cloud software can take up to 40% of budgets given complex tech stacks across business units. The inability to measure the effectiveness and impact of investments hinders decision-making and slows security advancement. Considering this, organizations must ingrain processes for benchmarking, budgeting, and assessing course corrections to succeed.
An outcome-based strategy
Keeping the board engaged and interested involves leading with key points, linking those points to costs and revenue growth, while outlining next steps. To mitigate the challenge of effectively conveying the pros and cons for each security product and persuading the board to invest without hesitation, CISOs must employ an outcome-based cybersecurity strategy for their organizations.
This approach involves aligning cybersecurity strategy with desired business outcomes and maximizing business impact. Some of these strategies include risk mitigation, customer experience, revenue expansion, governance, and operational resilience. Rather than viewing security strictly as reactive defense against threats, IT and cyber leaders must proactively communicate its role in enabling desired business outcomes.
By tying security programs to concrete goals across risk, CX, growth, compliance, and resilience, organizations can shift perspectives and unlock additional resources. The emphasis becomes leveraging cybersecurity as a strategic driver of success versus simply an overhead cost center.
Making cybersecurity part of the business growth strategy
Cybersecurity has evolved as threats have evolved, with new tools at attackers’ disposal such as FraudGPT, EvilGPT, and WormGPT.
In this ever-changing landscape, it is crucial for security leaders to lead effective conversations with their board to fulfill their role in safeguarding their organizations against evolving threats.
Armed with the right information, it is up to the CISO to bring the board members to the same page when it comes to securing their organizations, being prepared for worst case-scenario, while also translating cybersecurity measures as drivers towards meeting business outcomes and maximizing the organization’s impact.
Despite perceived cybersecurity risks, most boards express satisfaction with current investment levels and CISO relationships. This comfort may stem from greater visibility into security operations and struggles amidst pandemic-driven disruption. However, boards must avoid complacency. While CISOs provide reassurance, boards must still critically assess in-house cybersecurity capabilities. Mere presence of a CISO does not guarantee effective security.
Rather than falling into a false sense of cybersecurity, board members must be proactive in taking steps to bridge any gaps that may exist between them and their security expert.
Though approaches may differ, CISOs and boards share the same goal: securing their organization’s lasting success amidst cyber challenges. To this end, boards must provide CISOs support to implement business-focused security strategies with the insight needed to address modern threats. Alignment of objectives lays the foundation for an effective partnership.