There’s no denying that a CISO has a lot on his or her mind. Whether or not they have an active role in board meetings, there are a few critical issues they need to discuss with the board.
CISOs are increasingly taking the lead and meeting with the CTO, CFO, and CEO on a regular basis to discuss cyber risk, security strategy, and how to handle digital transformation. While the CISO has become an important member of some executive boards, this is not the case everywhere. Perhaps the CISO-board relationship is strained, or the CISO and the rest of the board are at odds. For better or worse, the CISO’s thoughts sometimes fall on deaf ears.
If that’s the case, here are four things today’s CISO wants their board to help them differentiate the signal from the noise.
Properly budget for cybersecurity
It’s been said repeatedly – don’t cut corners when it comes to cybersecurity. To stay up with today’s risks, global IT investment has increased over time. Cybersecurity spending has nearly doubled year-over-year, according to a new ISG research paper report “What to Do About Cybersecurity Before It’s Too Late.” In 2020, it accounted for 4.7 percent of total IT spending, compared to 2.5 percent in 2019. Enterprises should spend at least that much to ensure that they are equipped to deal with tomorrow’s risks.
Failure to adequately budget for cybersecurity might result in a slew of issues. Organizations using legacy technology risk having limited or no visibility across their environment, leaving them vulnerable to data-related risks. Spending insufficiently on cybersecurity professionals, the defenders tasked with securing the company and its data, can also leave a company poorly unprepared for the next cyber-attack.
When an organization fails to adequately support its cybersecurity program, it can lead to errors in judgement, such as making business decisions without considering the implications for IT.
Concentrate on metrics that promote trust
The number of threats a company has stopped is one of the most misleading metrics in cybersecurity. Metrics can occasionally fail to reflect the team’s hard work on a daily basis. Organizations should focus on measurements that promote confidence instead of creating confusion. They should consider including the following details:
- The dwell time of a cyber-threat — how long did an adversary remain in the system before it was discovered?
- Vulnerability and patching metrics – how long did it take the team to resolve an issue or deploy vulnerability patch?
- What is the mean time to closure for high-risk items?
- How many incidents did the IT security team discover and address?
- What was the outcome of implementing a new security solution or launching a cybersecurity initiative, such as implementing multi-factor authentication or conducting a phishing awareness exercise?
Building a cybersecurity culture should be a top-down approach
Even though getting and maintaining executive buy-in is crucial, organizations should understand that cybersecurity is a team effort. CISOs should build a culture where every team member understands the relevance of their program and the role they play. It is the obligation of everyone in an organization to keep it safe. When the messaging originates from the top, this, like any other companywide endeavour, can be successful.
When CISOs are in charge of a new security effort, constant training is required, especially when new employees are on boarded. To ensure that they remain aware and alert, CISOs should conduct regular risk assessments and phishing exercises.
It can be difficult to do so, but the company must abandon the concept of siloed departments. Each part of the company must feel intertwined with the others, as if they are all working toward the same goal of safeguarding the assets.
Cybersecurity strategy should be aligned to an acceptable framework
Just because a company hires a CISO doesn’t mean it’ll be secure right away. Cybersecurity requires nurturing; establishing and developing a robust program can take time. One of the first tasks is to ensure that the board of directors is aware of the organization’s current level of control maturity. CISOs can then devise a strategy for achieving increasing degrees of maturity over time.