Very often corporate leaders do not have the expertise to understand the imperative that is cyber security. Coupled with the security technology leaders’ lack of business acumen, it could mean missed opportunities to align security and business objectives, leaving organizations vulnerable to potentially catastrophic cyber threats.
As per a 2021 survey conducted by ESG of 365 senior business, security and IT professionals, 85% stated their boards of directors are more involved in cybersecurity strategy and decisions now than they were two years ago.
Unfortunately, most CISOs do not understand how to translate technology into business language or how to employ common analogies and colloquialisms to move away from the “bits and bytes” of cybersecurity. As a result, their presentations to boards that are often concerned with technical proficiency rather than financial profitability fall flat, leaving security teams without the support and resources they require to adequately address business threats.
If board members do not understand cybersecurity, they may unintentionally accept a massive amount of risk. It’s the CISO’s job to translate this risk into business language, driving home the point that it could amount to business losses.
How can cybersecurity be improved in the boardroom and C-suite?
In the ESG study, about half of respondents described their leadership teams as “extremely involved” in essential cybersecurity operations such as budgeting, prioritizing investments, and developing a security culture. While this indicates progress toward total organizational cybersecurity-business alignment, it still leaves significant space for improvement, with researchers describing executive and board involvement in security projects as “cursory at best” in many firms.
Here are some suggestions for improving cybersecurity’s status in the C-suite, boardroom, and across the company.
Board members should be educated on cyber security risks
According to the survey results, updated cybersecurity awareness at the board level drives business leaders to take a more active and proactive interest in cyber-risk mitigation. However, CISOs who want to shift the boardroom perspective of cybersecurity on their own will have their job cut out for them.
As a result, many security leaders hire outside experts to help educate their boards on cyber risk, a step described by ESG analysts as an enterprise best practice. Third-party consultants and academics are perceived as having a high level of credibility by executives and directors, boosting the CISO’s argument for cybersecurity investment and providing a strong educational experience for the board.
Implement a CISO-to-CEO reporting structure
Most security experts think that CISOs should report directly to CEOs rather than CIOs. This reporting structure places security at the executive table, allowing CISOs to make significant contributions to the business while also improving senior leadership’s exposure to cybersecurity challenges. A CISO-to-CIO reporting structure, on the other hand, confines security professionals to the role of engineers, undermining cybersecurity-business alignment.
Create a cybersecurity culture
All employees should receive cybersecurity training and be aware of the essential role security plays in the overall success of the company. Leadership should also hold each department accountable for appropriate cybersecurity goals and metrics, allowing everyone to play an active role in protecting vital business assets.
Make the cybersecurity initiative official
A structured, top-down security program articulates high-level strategies and controls that correspond with the company’s vision and goal, making them explicit, executable, and trackable through comprehensive documentation, key performance indicators, and metrics. According to ESG, a defined program not only creates a path toward a more secure company but also provides CISOs and boards with a basic language with which to communicate cyber risk and security priorities.
For more such updates follow us on Google News ITsecuritywire News.