Chief information security officers (CISOs) face a credibility gap as they struggle to align cybersecurity with business risks, and board leadership often perceives cybersecurity professionals negatively.
These were among the results of a Trend Micro survey of 2600 IT leaders worldwide, which also revealed that only 54% feel the C-suite understands cybersecurity risks.
More concerning, nearly eight in 10 (79%) have been told to downplay the severity of potential risks, and fully 80% said that only by experiencing a serious cybersecurity incident would the board be more alert to potential risks.
More than a third said they feel like they’re treated as a part of the IT department rather than serving to reduce business risk, and 58% said a boost in IT communications skills would help improve their standing.
Gareth Lindahl-Wise, CISO at Ontinue, said that from his perspective, there are two common reasons corporate boards pressure CISOs to downplay the severity of cyber risks. First, “The risks have not been articulated in a way that the Board can work with and prioritize with the many other business risks,” he said. Plus, “The presentation of the likelihood of the risk event happening lacks credibility in the board view.”
A good CISO will not (over)use fear, uncertainty and doubt, and a good board will sniff it out when they see it, Lindahl-Wise said. “CISOs need to remember that cyber risks may not be the most significant risk to a business at a point in time,” he explained. “Faced with a ‘we will run out of money’ versus ‘this system may get hacked’ type decision, the CISO needs to make sure the impacts are clear and the chance of it happening is grounded.”
Tension between the CISO and senior board members is not necessarily a bad thing, as healthy tension helps businesses make decisions and priorities. “Cyber risks need to be presented using the common business language in which other risks are assessed,” Lindahl-Wise said. “I submit that a lack of relatable information on likelihood is where the relationship between board and CISO flounders.”
Jose Seara, CEO and founder at DeNexus, said the best approach to handling board communication is to present them with reports in a language they understand. “This is one reason why translating detailed cybersecurity signals into business and financial metrics is becoming crucial,” he said.
Budgets are getting tight. Justifying cybersecurity investments by showing where the enterprise faces the greatest risks, measured in financial terms, is paramount, Seara pointed out.
Seara recommended establishing a cadence of updates with the board and demonstrating a path to improve cyber risk with detailed trends on how cybersecurity efforts reduce risk. “This will bring a level of transparency about cybersecurity that board members should embrace,” he said. “This can also directly feed into compliance requirements such as the new SEC cybersecurity regulation.”
With threats constantly evolving, CISOs have an opportunity to build a sustained level of communication with the board by keeping them abreast of latest threats and changes in the company’s cyber risk posture, Sera explained. It is the role of the CISO to plan and be prepared for worst-case scenarios.
“However, with funding getting tighter across all enterprise functions including for cybersecurity, it becomes critical for CISOs to set budget priorities for cybersecurity projects,” Sera said. From his perspective, quantifying cyber risks in monetary terms is the best approach to allocating investments where they can have the greatest impact on reducing cyber risk.
Lindahl-Wise has always been an advocate of mapping risks back to specific goals or projects for an organization. “Do this and the stakeholders identify themselves before your eyes. You can have a conversation grounded in business objectives,” he said. It is “so easy” for a CISO to sound like a supplier – doing something important, but they don’t really know the company. “Relate risks back to the objectives of the board members around you, and awareness and understanding will follow,” he advised.