How Does the Board learn to value Security Imperatives

How Does the Board learn to value Security Imperatives-01

The success of a CISO at an organization often depends on the support they receive from the board of directors. Therefore, they should look for attributes that speak of a security-conscious outlook in their board members.

Today, the CISO turnover is legendary, with most of the CISOs average tenure between 18-26 months. Most studies also indicate that CISOs are less likely to survive in the firm of their choosing. In fact, as per “The CISO Stress report” conducted by Nominet Cyber Security, 24% of CISOs leave their organization within the first year of joining. The same report also found that 48% of them experienced a deleterious effect on their mental health. While this issue seems common given the critical responsibility that they have, it is not only the primary concern.

As per the report, 25% of CISO felt that their board members didn’t accept or understand that “breaches are inevitable”. Furthermore, 25% of the respondents also agreed that their board members would hold them personally accountable for any security breaches. Given the critical nature of the situation, it is essential that CISOs, before accepting the job offer or taking upon the position, internally assess their board members. While they are responsible for directly managing the day-to-day security operations, they can get the hint about how they will set the culture. This will also help them to understand whether they are likely to sign off on financial as well as policy decisions associated with cybersecurity and how well they collaborate and try to address the situation in the case if a security breach occurs.

Also Read: Strategies to Mitigate Cyber-Risks During Financial Breakthrough

At least one security expert on the Board

Some organizations just recruit a security person just for the sake of it. This shows that they may not be involved in the decision-making process. However, the key indicator that the board is security-conscious and cyber-savvy is whether they have more than one board member with security/technical expertise. This will help the appointed CISOs to get their point across the board and will have someone among the board who can vouch for the initiatives.

Questioning attitudes towards security

While the board members are not expected to know the ins and outs of cybersecurity, they should be knowledgeable enough to not only take the information presented by the CISO but also come back with probing questions. A much better but rare trait is that it is not driven by a particular security incident that happened recently but asks questions that most corporate management has not even thought about.

Conducting regular and detailed risk assessments

Security-conscious boards can identify and categorize their most important assets and create policies to protect them. But, it is not possible to protect them all time, and they often need to make decisions on what level of risk they should accept. Moreover, another trait that a security-conscious board should consider has procedures in place for documenting those risk-based decisions. This will help them to analyze the decisions that were taken prior to the security incident.

Also Read: How to Prepare for Ransomware Negotiation

CISO should participate in board meets

Some organizations do not often loop CISO in the board meeting. Thus, whenever a CISO gets some time to put their points across, they try to cram all the information in a few slides that the board members are not able to understand. Hence, CISOs should have CISO updates on the agenda multiple times throughout the year.

For more such updates follow us on Google News ITsecuritywire News