Business Security
How CISOs and their peers can better engage with boards to gain long-term buy-in for strategic initiatives
October 11, 2023
•
,
4 minutes. read
Building a more secure digital world requires action on several fronts. Initiatives like Cybersecurity Awareness Month (CSAM) are excellent opportunities for remind the general public of important good practices For password management, vulnerability patch and more. But while this may help make life more difficult for cybercriminals targeting consumers, it remains an opportunity to focus business leaders’ attention on cyber risks.
In the United States, there was a quarterly increase of 114% of publicly reported data breaches in the second quarter of 2023, putting the year on track for another record. In Europe, the EU security agency ENISA warned in 2022 an increase in zero-day exploits, ransomware-as-a-service, hackers-for-hire, supply chain attacks and social engineering. Tackling this problem is ultimately the job of the CISO. But for this role to be effective, it needs the right support from the board. This is why it is so important to get commitment and buy-in for projects.
Towards an alignment of IT consulting
There is often something of a disconnect between business leaders and those in charge of IT strategy and cybersecurity. Generally speaking, the perception when it comes to security is that it is necessary to keep cyber threats at bay, but not much more. In other words, many boards still view IT and cybersecurity as a necessary cost, but not as a revenue source – and certainly not as a business enabler.
The end result is that even if Gartner predicts If global spending on security and risk management increases by more than 11% in 2023, to $188 billion, it will not necessarily be spent wisely. Disengaged boards tend to release budget in a piecemeal and reactive manner, such as following a breach. This can lead to poor results and an accumulation of one-off solutions that ultimately prove unprofitable.
In fact, according to a study, only two-fifths (39%) of security decision-makers believe their company’s leaders truly understand the role cybersecurity plays in business success. A similar share (36%) says security is only considered through the lens of compliance requirements. So how can CISOs and their peers better engage with boards to gain long-term buy-in for strategic initiatives?
Here are six suggestions:
The first step towards better alignment of e-businesses must be understood. This means speaking not in a language of bits and bytes and complex technological details, but in a language of business risk. This will make it easier to engage board leadership and gain buy-in for a specific strategic initiative. Tell them a ransomware attack could take 200 servers offline and they might wonder “so what?” But explain that this could result in a week’s downtime at a price of $400,000 an hour and the reaction will be very different.
- Measuring risk and making it relevant
Conversing in a language that both parties understand is partly about sharing metrics-based data that translates cybersecurity information into metrics that matter to the board and the business. Areas to consider are metrics that show the performance and effectiveness of existing security controls – to illustrate areas where things are working well and areas that need improvement. Tracking them over time will add additional impact, as will comparisons with industry benchmarks.
When you present them to the board, keep things simple and high-level. But don’t be afraid to use anecdotal stories from the company to make your point.
- Promote security by design and by default
According to World Economic Forum (WEF), 43% of business leaders think it is likely that a cyberattack will “materially affect” their organization in the next two years. While it is positive that they appreciate the severity of cyber risk, it also reflects a boardroom mindset increasingly focused on channeling resources into day-to-day rather than strategic investments.
The CISO must persuade his or her peers at the top to think about cybersecurity more strategically, and thus achieve better results. Security by design and default is the best practice promoted by GDPR regulators and others. This means that security considerations should be built into new business initiatives or products from the moment they are created, rather than being added at the end or, even worse, after an incident.
More than half (56%) of CISOs now meet monthly or more often with their board, according to the WEF. This is a big step toward board buy-in for security, especially given how quickly the threat landscape is evolving. However, much remains to be done to promote mutual understanding. One solution is to ensure that the CISO reports directly to the CEO – ensuring that the CEO has more exposure to cybersecurity and that security leaders get more direct feedback from the business.
- Formalize cybersecurity programs
Too many cybersecurity programs are ad hoc and technically focused. Instead, they should be properly documented, measured against relevant KPIs and metrics, and formalized in a top-down structure. This will help solidify the role of cybersecurity in the business.
The Business Information Security Officer (BISO) is a specific role within a department or business unit, responsible for liaising with the business and security team. In doing so, they help transform high-level strategy into practical operational steps. So they can create that security-by-design culture that every organization should aspire to, and in doing so, prove to skeptical boards that security needs to be integrated into every part of the business.
Conclusion
According to the WEF, recent geopolitical instability has helped bring closer perspectives among CISOs and boards of directors on the importance of cyber risk management. Today, 91% of this combined community believes that a Catastrophic and large-scale cyber event is somewhat likely over the next couple of years. But there is still a way to go. For many organizations, getting that all-important board engagement and buy-in will take months or even years. And more importantly, it may require a change in mindset not only from business leaders, but also from CISOs.