CISO perspective on why boards don’t fully grasp cyber attack risks
Due to their distinct perspectives, board members and CISOs often have differing views on cyber attack risks. The discrepancy arises when boards need cybersecurity expertise, need help comprehending technical jargon, or when CISOs need to communicate in business language.
In this Help Net Security interview, David Christensen, CISO of PlanSource, proposes strategies to understand and acknowledge the broader organizational and strategic implications of cybersecurity risk management, strategy, and governance.
Board members and CISOs often do not see eye-to-eye on the risk of cyber attacks. In your opinion, what is the primary cause of this discrepancy?
A difference in perspective is a fundamental reason board members and CISO are not always aligned. Board members typically have a much broader view of the organization’s goals, strategies, and overall risk landscape, where CISOs are responsible for assessing and mitigating cybersecurity risk. These differences in perspectives lead to contrasting priorities and risk assessments. However, when board members and CISOs do not see eye-to-eye on the risk of cyber attacks, it’s often a result of the board lacking cybersecurity expertise among its members, the complexity with understanding the topic and CISOs who focus too heavily on technical language during their discussions with the board.
Communicating cyber risk to the board requires the CISO to understand the audience, translating technical jargon into business language, allowing the board to see the CISO as a strategic partner. Becoming the strategic partner also requires CISOs to view their cybersecurity investments in terms of ROI to help the board understand the importance of an investment against competing priorities and spend.
CISOs need to also understand that board members often have a shorter time horizon for decision-making, focusing on quarterly or annual performance, in contrast to CISOs being more attuned to the potential long-term impacts of cyber attacks and advocating for proactive measures. This misalignment in time horizons can contribute to disparities in risk perceptions.
How can a CISO effectively translate technical jargon into business language that board members can understand and engage with? Do you have any specific strategies or approaches in mind?
A CISO needs to understand the knowledge and background of the board members to be able to translate technical jargon into business language and something familiar with the target audience. I approach this by relating technical jargon to everyday situations or business scenarios, something the board can easily grasp.
To be effective at this style of communication, I collaborate with other business leaders outside of the technology groups to optimize business alignment. Focusing on the potential business impact of cybersecurity risk also allows a CISO to frame technical issues in terms of their consequences such as financial loss or damage to the company’s brand.
It is equally important to be concise and avoid over-embellishing cyber-risks, while still focusing on the strategic objectives you are asking the board to weigh in on. To bridge the gap between board members and CISOs to promote the mitigation of cyber-risk, it is essential that a CISO enhance communication, educate board members about cybersecurity risks and promote a collaborative approach to decision making.
Many boards still see cybersecurity as a purely technical issue. What strategies can they employ to understand and acknowledge the broader organizational and strategic implications of cybersecurity?
For boards to better understand and acknowledge the broader organizational and strategic implications of cybersecurity, there needs to be a shift in how cyber-risk is viewed and approached. Boards can start by overcoming the common CISO-board disconnect that exists, developing a direct and strategic relationship with the CISO that continues outside of board meetings. Boards should also allocate more of their time to the topic of cybersecurity and allow the CISO to communicate risk to the board beyond just a handful of quarterly slides. Cybersecurity expertise also needs to be a part of a board’s composition, by including directors with a blend of business and cyber experience.
How do you envision the proposed amendments by the SEC changing the way boards approach cybersecurity risk management, strategy, and governance?
When the proposed amendments by the SEC become a reality, I envision boards putting more attention on cybersecurity issues. The hope is that these changes will lead boards to dedicate more resources, time, and expertise to assessing, managing and mitigating cybersecurity risk before they are impacted by an incident.
I would then expect this to result in boards establishing or enhancing governance structures related to cybersecurity, leading to them defining clear roles and responsibilities for cybersecurity oversight, and ultimately the presence of cybersecurity expertise at the board level. These amendments are also going to encourage boards to integrate cybersecurity considerations into their overall business strategy.
In your view, what concrete steps can board members take to improve their understanding of cybersecurity-induced risks and evaluate plans to manage them effectively?
Boards members should actively educate themselves about cybersecurity, attending training, workshops and conferences on the topic that can help them stay updated on emerging threats and latest trends. Boards should also establish a dedicated cybersecurity committee made up of members with relevant expertise to help assess and oversee cybersecurity initiatives within an organization.
The board should also engage with cybersecurity experts and consultants to gain insights into the specific risks and challenges facing their organization. In addition, boards should require their organizations conduct regular risk assessments, as well as reviewing cybersecurity reports, which will provide an overview of the organization’s cybersecurity posture.