Better communication between the executive board and the CISO/CIO is critical to reducing cyber threats and risks.
Board members wanting to take a more active role in creating and overseeing the organization’s cybersecurity protection strategy recognize the need to communicate more frequently with the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). Meeting once a quarter or semi-annually is not enough for both parties to effectively collaborate.
How Does the Board of Directors Benefit From Greater Engagement with CISOs?
In 2023, the Harvard Business Review (HBR) surveyed 600 Board members about cybersecurity. The survey revealed that despite investments, most Directors (65%) feel their organizations are at risk of a cyberattack within the following year. Almost half believe they must prepare to handle a targeted attack. However, this increased awareness is not leading to improved preparedness.
CISOs analyze their data around the current and future state of cybersecurity risks and costs. They present a final analysis to the Board of Directors seeking funding for new initiatives, reporting a cybersecurity breach, or wanting to understand more about the organization’s strategy for the coming year.
The Board will engage the CISO directly regarding several topics, including:
- New compliance mandates include DORA, NIS2, and SEC in the U.S.
- What is the impact of cyberattacks have a global economic impact on similar organizations?
- Share with the CISO greater insight into the organization’s future strategies and disclosure requirements.
According to the HBR, “69% of Board Members do not agree with their CISOs. Only 47% of board members regularly interact with their CISOs, and a third only see their CISOs during board presentations.”
This lack of interaction prevents meaningful discussions about cybersecurity. Proofpoint and MIT Sloan School of Management also reported, “65% of Board Members believe their organization is at risk of a cyberattack, but only 48% of CISOs share the same view.”
This misalignment hinders progress in cybersecurity within the organization, creating gaps of mistrust between the Board and the CISO.
These gaps often result in additional costly security breaches, increases in cyber insurance premiums or policy cancellation, and turnover of talent within the organization. Another possible fallout between the CISO and the Board of Directors relating to cybersecurity issues is the loss of revenue from clients choosing to take their business elsewhere.
What the Board of Directors Should Know About Emerging Threats
Boards subscribing to Cyber Threat Reports from Gartner, Forester, and IDC are becoming more common. Access to frequent data helps the Board understand from the industry analysis researching how severe cyber emerging threats have become. This data also allows the Board to realize whether emerging threats apply to their business.
As an example, board members can access analysis from IT Goverance. UK will have some valuable infographic data.
“In the first month of 2022, there were 95 security incidents reported globally, compromising nearly 66 million records. These incidents affected organizations in various industries, including banking, retail, education, and healthcare.”
Board members investing their time into emerging threats data helps create valuable talk points between them and the CISO.
What Core Topics Should Each Executive Board Member Know Before Meeting with the CISO?
Boards are crucial in managing cyber risk and meeting regulatory requirements as cyber threats grow and companies invest in cybersecurity. CISOs are critical in the organization’s cybersecurity strategy, execution, and daily operations. The collaboration between the Board of Directors and the CISO is essential for an organization to manage risks, compliance, and cost issues.
Therefore, before meeting with the organization CISO, each Board Member should have several talking points with data from a trusted source. Here is a list of questions all board members should be ready to ask the CISO in their meeting:
- What is the current status of all compliance mandates required by the organization to maintain?
- What is the consumption of the cybersecurity, compliance, and risk management funding for the current year?
- Did we experience any breaches in the current quarter requiring the organization to report to the SEC?
- Did the organization suffer from a security breach documented in Gartner’s security prediction report for the current year?
- Here’s an update on the remediation of all currently high-risk, high-exposure areas. What can be done to speed up remediation?
- What areas lack proper risk assessment, and what can be done?
- Define and update Security KPIs frequently to provide more real-time visibility beyond boardroom meeting schedules.
- Do we have enough security operations and incident response resources to handle the volume of threats?
The feedback they receive from the CISO based on these questions then helps give the Board the answers needed to help with their reporting regulations and business forecasting.
How is the Global Threat Landscape Changing the Makeup of the Board of Directors?
Global threats evolve in complexity and velocity everyday. Hackers adopting artificial intelligence and machine learning tools increase the velocity and complexity of their attacks. Several areas within any organization, including finance, human capital management, supply chain, and product development, face global threats—the Board of Directors creating various sub-committees in these domain areas must create a cybersecurity oversight strategy. These strategies created by the sub-committees need to roll up the Management Board’s overall cyber strategy.
Board’s Adjusting Legacy Charters to Meet New Regulations
Boards now recognize the importance of cybersecurity oversight because of the consequences and new regulations.
Consequently, there has been increased scrutiny of what boards of directors do to address risk management. While management has historically been responsible for risk management, executive boards are now accountable for implementing appropriate programs.
This new level of accountability compels the executive board to consider recruiting more people with cybersecurity expertise. Traditionally, the Board of Directors reviewed cybersecurity as a technical issue, not a business event. Yet, partially because of successful cyber attacks, the board of directors and their respective committees recruit more cyber leaders.
How Critical is Trust Between the Board and the CISO?
Confidence and trust between the Board and CISO start with an agreeable understanding of the organization’s measurable cybersecurity goals, risk management, and compliance governance. Within an agreed-upon measurement matrix, the Board and CISO could end up with two similar perspectives regarding cybersecurity.
The Board and the CISO, wanting to develop mutual trust, need to create governance around their strategy for measurement and put this into effect.
The proper measurement results reviewed by both parties help determine the goals and milestones met during a specific period. Both parties wanting a trustworthy relationship should invest in the measurement system that becomes the “source of truth.”
This trust relationship between the Board and the CISO is critical to the organization’s goal of attracting and keeping customers. Without trust between these two groups, it is difficult to establish long-term relationships with clients if the organization cannot protect their client’s data.
Should you need help or advice at the board level, please contact – Cubic Consulting at https://cubic.consulting. Help involves personal training, risk meeting preparation, cybersecurity strategy review, etc.
- What are the Top Cybersecurity Predictions for 2024?
- What is the Python-based Legion Credential Attack?
- Securing Your Online Footprint: Insights from Stefanie Drysdale
- How Can the Board of Directors Increase Their Knowledge of Cybersecurity, Risk and Compliance?
- How Does the Board of Directors Oversight Validate the Organization’s Cybersecurity Strategy?
- Who are the Top 10 Ransomware Groups in 2024?