How CISOs and their peers can better engage with boards to get long-term buy-in for strategic initiatives.
Building a safer digital world requires action on several fronts. Initiatives like Cybersecurity Awareness Month (CSAM) are great opportunities to remind the general public of important best practices for password management, vulnerability patching and more. But while this can help make life tougher for cybercriminals targeting consumers, it’s still opportunity for bringing cyber-risks to the attention of business leaders.
In the US, there was a 114% quarterly increase in publicly reported data breaches in Q2 2023, putting the year on track for another record. In Europe, EU security agency ENISA warned in 2022 of a surge in zero-day exploits, ransomware-as-a-service, hackers-for-hire, supply chain attacks and social engineering. Getting to grips with this is ultimately the job of the CISO. But for that role to be effective, it needs the right support from the board. This is why it’s so important to get engagement and buy-in for projects.
IT-board alignment
There’s often been something of a disconnect between business leadership and those in charge of IT and cyber strategy. Broadly speaking, the perception of security is that it’s necessary to keep cyberthreats at bay, but not much more than that. That is, many boards may still see IT and cybersecurity as a necessary cost but not a revenue contributor – and certainly not a business enabler.
The end result is that although Gartner predicts global spending on security and risk management to grow by more than 11% in 2023, to $188bn, it may not necessarily be spent wisely. Disengaged boards tend to free up budget in a piecemeal and reactive manner, such as following a breach. That can lead to poor outcomes, and an accumulation of point solutions which ultimately prove bad value for money.
In fact, according to one study, only two-fifths (39%) of security decision makers believe their company leadership truly understands the role cybersecurity plays in business success. A similar share (36%) claim security is only viewed through the lens of compliance requirements. So how can CISOs and their peers better engage with boards to get long-term buy-in for strategic initiatives?
Here are six suggestions:
Speak the right language
The first step towards better cyber-business alignment is to be understood. That means speaking a language not of bits and bytes and complex technological detail, but of business risk. That will make it easier to engage board leaders and get buy-in for a specific strategic initiative. Tell them a ransomware attack could take 200 servers offline and they may think “so what?” But explain that this could cause a week’s downtime at a cost of $400,000 per hour and the reaction will be very different.
Measure risk and make it relevant
Part of conversing in a language both sides understand comes down to sharing data based on metrics that translate cybersecurity information into measurements the board and business care about. Areas to consider are metrics that show the performance and effectiveness of existing security controls – to illustrate where things are working well and areas that need improvement. Tracking these over time will add further impact, as will comparisons with industry benchmarks.
When presenting these to the board keep things simple and high level. But don’t be afraid to use anecdotal stories from the company to bring a point home.
Promote security by design and default
According to the World Economic Forum (WEF), 43% of business leaders think it’s likely that a cyberattack will “materially affect” their organization in the next two years. While it’s a positive thing that they appreciate the gravity of cyber-risk, it’s also reflective of a boardroom mindset increasingly focused on channelling resources into day-to-day rather than strategic investment.
The CISO needs to persuade their peers at the top table to look at cybersecurity more strategically, and that by doing so they will get better outcomes. Security by design and default is the best practice promoted by GDPR regulators and others. It means security considerations must be built into new business initiatives or products at their very inception, rather than tagged on at the end, or – even worse – after an incident.
Meet more often
Over half (56%) of CISOs now meet monthly or more often with their board, according to WEF. This is a great step towards getting board buy-in for security, especially given the speed with which the threat landscape evolves. However, more needs to be done to promote mutual understanding. One way is ensuring the CISO reports directly to the CEO – thus ensuring the latter gets more exposure to cybersecurity and that security leadership gains more direct feedback from the business.
Formalize cybersecurity programs
Too many cybersecurity programs are ad hoc and technically focused. Instead, they should be properly documented, measured against relevant KPIs and metrics and formalized in a top-down structure. This will help to cement the role of cybersecurity in the business.
Hire some BISOs
The business information security officer (BISO) is a specific departmental or business unit role responsible for liaising with both the business and the security team. In so doing, they help to turn high-level strategy into practical operational steps. Thus, they can create that security-by-design culture that every organization should aspire to, and in so doing prove to sceptical boards that security should be embedded into every part of the business.
Conclusion
According to WEF, recent geopolitical instability has helped to bring CISO and board views on the importance of cyber-risk management closer together. Today, 91% of this combined community believes that a far-reaching, catastrophic cyber event is somewhat likely in the next two years. But there’s still some way to go. For many organizations, getting that all-important boardroom engagement and buy-in will be the work of months or even years. And most importantly, it may require a mindset shift not just from business leaders, but also CISOs.
Comments