The struggle to be heard: how CISOs can close the credibility gap with their boards
How CISOs can close the credibility gap with their boards
These are tough times to be running a business. Relief at exiting the pandemic was short-lived, followed by rampant inflation, sky-high interest rates, business uncertainty and geopolitical volatility. Against this backdrop, the last thing an organization needs is to have critical data stolen and systems crippled by cyber-attack. Or for a key supplier to suffer the same. June’s ransomware attack on an NHS provider showed the catastrophic knock-on effect such a breach can have.
That’s why CISOs up and down the country are trying to build a case for improving cyber resilience. However, their job isn’t easy. First, they have to convince a skeptical – and sometimes downright hostile – board.
Technical Director UK & Ireland at Trend Micro.
Why resilience matters
Cyber-resilience is all about addressing people, process and technology gaps to ensure an organization can continue to operate effectively even if it’s hit by a sustained and sophisticated cyber-attack. It means improving cyber-hygiene through best practices like multifactor authentication (MFA), regular security awareness training, backups, encryption, anti-malware, prompt patching and more. This “prevention” approach must be enhanced with detection and response to catch any threats that may sneak through – and recover quickly before there’s been any significant impact on the organization.
Unfortunately, this is getting harder than ever as digital investments expand the typical corporate attack surface. Half of UK businesses recorded at least one cyber-attack or breach last year, rising to 70% of medium-sized and 74% of large companies, according to the government. Ransomware isn’t the only threat facing these organisations. But it has become the largest one, according to the National Cyber Security Centre (NCSC), which also warns that the threat is expected to increase as malicious actors get hold of AI tools.
For some companies, it has become an existential risk. Boards facing the threat of IP or customer/employee data loss and/or service disruption should be well aware by now of the long-term financial and reputational impact on their business. Even relatively small-scale cyber-incidents can force some systems offline for investigation, and redirect resources away from important digital transformation projects.
Undermined and undervalued
Investing in cyber-resilience should therefore be an open-and-shut case for CISOs to make. Unfortunately, it is not quite so straightforward. For cyber strategy to function as intended in an organization, the IT or security lead needs to be heard and understood. The board must buy into their vision, implicitly understanding the business criticality of effective cyber-risk management.
Unfortunately, research reveals that boards are more likely to be disengaged and unenthused by cyber, viewing it as an IT risk and little more. In fact, most (80%) CISOs claim that their board would only be incentivised to act on cyber risk if there was an actual breach. Reactive investments such as these often lead to point solutions which fail to address fundamental challenges, papering over the cracks when something more holistic is needed.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
That same research finds that 79% of cybersecurity leaders have felt boardroom pressure to downplay the severity of cyber risks facing their organization. Many claim this is because they are seen as being “nagging” and are viewed as overly negative. A third say they have been dismissed out of hand.
Bridging the gap
This is partly the fault of the board. Although regulators are increasingly demanding more personal accountability for cyber incidents at a board level – which will certainly focus minds – there is more to do. CISOs can sometimes also be part of the problem, by packing their presentations with irrelevant metrics and industry jargon. That’s not the way to win over a business audience that wants answers to far more fundamental questions: How secure are we? What will it take us to get there?
To bridge the yawning boardroom credibility gap, security leaders need to keep their communications simple, to the point and free from tech-speak. They need to align cyber with business risk, and cybersecurity outcomes to business objectives. And they need to work harder to build personal relationships with board members.
The journey starts here
How do they get there? Using the right metrics is a good start. By consolidating point solutions onto a single platform for managing cyber risk, they can generate a single source of truth for more consistent reporting. The best outcome would be a solution capable of calculating risk based on attack landscape, user exposure and security configuration, as well as overall impact on the business. This could be used to continually map risk across the corporate attack surface and take automated remedial actions to close any gaps that appear, like vulnerabilities and misconfigurations.
The results could be displayed in an easy-to-consume executive dashboard, which helps senior leaders grasp the real-world implications of nebulous concepts like cloud misconfiguration and account compromise. This approach lights a clear pathway to closer alignment between security and business objectives, which could ultimately help to enhance cyber resilience. It may be a long journey ahead for some companies, but the alternative is far worse.
We list the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Technical Director UK & Ireland at Trend Micro.