Prioritizing CISOs’ Relationship with the Board
 

“Hearing is not the same as listening,” begins the World Economic Forum’s (WEF’s) Global Security Outlook 2023. “The significance of cyber risk has certainly been heard in C-suites and boardrooms. Whether cyber leaders and business leaders understand each other well enough to meet this challenge is, on the other hand, an open question.”[1] This opening salvo encapsulates the state of CISO-board affairs today.

Similarly, the Mimecast survey Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk finds significant but incomplete progress in CISO-board relations in recent years. The now prevalent view of cyber risk as a high-priority business risk is translating into more and better dialogue between cybersecurity leaders and business leaders, but there is still room for improvement.

Many factors are driving CISOs and boards closer. Costly cyberattacks continue. Related regulatory risk, an area that board members typically prioritize, is increasing across the world. This includes the U.S., where the Securities and Exchange Commission is poised to require routine public company reports on the board’s own role in cybersecurity oversight.[2] And the need to link cyber and business risk management has never been more explicit, with the National Association of Corporate Directors (NACD) calling on boards this year to “hardwire cyber risk consideration into key operational and strategic decision-making”.[3]

Looking ahead, the WEF report says, “Boosting cyber resilience starts with improving communication between cyber and business leaders.” On this front, Mimecast’s survey of the two groups is revealing. In interviews with 78 executive leaders in 12 countries, respondents speaking anonymously give frank appraisals of how they’re evolving toward a mutually supportive CISO-board relationship.

The Integration of Cyber and Business Risk Management

Both CISOs and business leaders are seeing a better integration of cyber and business strategy. The CIO of a Singapore financial services company echoes the sentiment of many Mimecast survey respondents in saying, “Both sets of leaders coordinate and work toward achieving sustainable business goals.” As a CISO in the Dutch financial services sector puts it: “In the past, our tech leaders and business leaders did not communicate well, and we had lack of understanding. Now, thank God, we’re in much better shape.”

But in practice, such integration is still a work in progress at many companies. Cyber and business leaders are eager to continue driving it forward, as these sample comments from Mimecast’s survey describe:

• “Board members should include cybersecurity and cyber resilience in developing the organization’s business strategy framework,” recommends the CTO at a South African entertainment company.
• A Saudi healthcare company’s COO laments that it takes too much time and effort to get board-level approvals for investments in cybersecurity projects because the board has limited understanding and doesn’t give cyber sufficient strategic weight.
• Citing tensions between prioritizing security and driving profits, the CTO of a German entertainment company describes an uphill battle: “Even though the board understands the seriousness, still, at times, they are unable to take steps in favor of the cyber department.”
• A healthcare industry CISO in Singapore emphasizes the need for more robust discussions: “Whenever there is a board discussion about cybersecurity, directors should talk about quantifying financial exposure to cyber risk, to help make decisions about which threats need to be addressed first and the amount of investment required.”
• And the CFO of a South African financial services company raises a complaint that highlights the need for improvement on the part of CISOs, saying: “Sometimes they only highlight the accomplished tasks and hide the problems.”

Closing CISO-Board Gaps

The WEF report quantifies the growing frequency of structured interactions between cyber and business leaders, saying that 56% of security leaders now meet monthly or more often with their board. “This is rapidly narrowing the cybersecurity perception gap,” the report says. The WEF, NACD, and Mimecast reports, taken together, offer some deliberate steps to tighten the CISO-board relationship:

• Boards should make cyber risk a recurring agenda item at their meetings, embedding cyber risk in operational and strategic decision-making.
• CISOs should measure, benchmark, and report cyber risk to the board in the language of business. “We've spent a lot of time on communication, learning to translate cybersecurity information into the business language of the board,” says the CIO of a global law firm. “There’s a lot of cybersecurity terminology that they just don't — and shouldn’t — care about.” So, the CIO communicates about cyber in terms that the board does care about: business operations and business risk.
• Cyber and business leaders should all understand the cyber threats that could inflict material business, operational, and financial harm, in order to develop effective risk mitigation strategies. 
• Boards and management should agree on their company’s cyber risk appetite.
• Boards should expect management to incorporate cyber risk in the company’s enterprise risk management program.
• New board members should undergo a cyber-onboarding process that starts with meeting the company CISO and otherwise brings them up to speed on cybersecurity.
• Cyber and business leaders should meet periodically to review cybersecurity systems and controls. The CISO of a financial services company, for example, has developed a roadmap dividing the company’s cyber priorities into three categories: regulatory issues, client concerns, and internal security assessments. Together, the CISO and CIO score the company’s performance in each area and present results to the board in chart form.

“The best leaders avail themselves of wide-ranging information and listen to all of their stakeholders, understand their role and impact, and exercise good judgment to achieve the optimum outcomes,” the WEF report summarizes. “These attributes are no less necessary in cybersecurity than they are in any other domain.”

The Bottom Line

Corporate boards are finally paying attention to cybersecurity, but they still have many other big priorities, such as economic strains, climate change, and geopolitical uncertainty. So, their increased involvement doesn’t automatically translate into more money or benefits for cyber defenses. Security leaders must understand their organizations’ risk profiles, communicate them well, and — above all — explain cyber risk as business risk. Read more about boards’ cybersecurity agenda in the Mimecast report: Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk.

[1] “Global Security Outlook 2023,” World Economic Forum

[2] “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission

[3] “2023 Director’s Handbook on Cyber-Risk Oversight,” National Association of Corporate Directors