To be competitive today, CISOs must not only develop a comprehensive cyber defense strategy on a small budget but also persuade their leadership that cybersecurity is a priority.
Cyber-attacks on enterprises can be costly in terms of money, credibility, and lost business. CISOs constantly strive to keep their companies safe from debilitating cyber-attacks, but they frequently don’t get the assistance or support they need to do their jobs efficiently. As a result, CISOs often do not have enough budgets to recruit employees and buy the systems needed to combat cyber-attacks, as well as convince their CFOs to allocate more resources to cybersecurity.
In fact, according to a survey done by consulting firm EY – approximately half of CISOs believe their board does not yet have a complete understanding of cyber risk and only 54% of companies schedule cybersecurity as a board agenda item on a regular basis.
Getting the board on board is the first step
The first priority for CISOs in achieving their goals is to ensure that board members consider the industry challenges, not just the IT issues that are involved in cybersecurity, emphasizing the financial and reputational harm that a cyber-attack can do.
They must also convincingly illustrate the advantages of a robust cyber program for an enterprise, emphasizing the ability to seek external revenue opportunities, target potential markets, and upsell to current clients. The key factor is the understanding of business loss that the company might face in a cyber-attack situation.
Along with the corporate aspects of cybersecurity, board members must have a greater understanding of the risks and the measures taken to resolve those threats in order to make responsible, strategic business decisions. CISO board presentations should include a review of the rapidly changing threat environment, including how hackers choose their victims, how they access networks, which defense mechanisms are likely to deter attacks, and how successful they are.
The information that the board requires
CISOs should deliver security strategies to directors in the same way as the CEO provides budget and business planning updates. Security plans should provide information on how security staff intends to protect the organization and what they can do to minimize damage in the event of an attack. Boards will be able to consider the solutions proposed to them and weigh in on what needs to be achieved once they have a better understanding of the technological challenges.
To persuade board members, CISOs should propose a formal governance system that allows for accurate data reporting and interpretation, close to what the board might have for other company goals. Periodic assessments and evaluations, assigning ownership, providing proper resources to address challenges and requirements, and implementing reporting processes and governance structures with observable KPIs should all be part of the structure.
Members of the board are usually appointed due to their business acumen – however, in today’s cyber-environment, that business experience must be filtered through the lens of the possible effect of a cyber-incident on an organization. CISOs will benefit themselves by assisting their board of directors in adopting a “cyber-first” approach, encouraging their business to cultivate a stronger and more robust cyber posture.