Get communication right between the CISO and the board to improve enterprise security
If security is a hot button issue in your organisation – and of course, why wouldn’t it be? – then CISOs and the rest of the board need to more ably see eye to eye, according to a new report.
The report, from Kudelski Security’s Client Advisory Council (CAC), argues it is a two-way street. The board needs to see CISOs as equal partners in the C-suite, rather than ‘compliance chasers and one-way cost centres’, while CISOs need to see cybersecurity from a board point of view – as a business imperative.
The study aimed to capture opinions and discussions on how security leaders have improved relationships and communication methods to better inform their non-technical leaders, as well as explore the most challenging questions CISOs face from boards.
Number one on the list is the deceptively simple ‘are we secure?’ The report says security execs can nail this question by making clear there is no such thing as perfect security, communicate the need for a risk-based approach, and fill gaps in knowledge with training and education.
Boards are naturally keen to find out whether the business has been breached, and if so how. Here, the report advocates storyboarding to explain to the board how such issues work. “Know that this question is all about assurance,” the report notes. “Boards know you can’t guarantee 100% security. What they want is confidence that the response to any breach is crisp and effective.”
If a question arises on how the organisation’s security program compares with peers, there is more than one solution. CISOs can benchmark a security program’s maturity against an industry framework, or compare security spend with peers, or compare the maturity of individual program components. It is a similar story with regards to when boards want to know about resources. CISOs need to showcase the return on security investments in relation to the program strategy, alongside overall business objectives.
Ultimately, it is often a question of financial stewardship as well as technical. “Communicating with a board is among the most challenging yet vital and impactful responsibilities a CISO could have,” said Almir Hadzialjevic, vice president of enterprise risk and security at Aaron’s Inc. and a CAC member. “Most boards are made up of sophisticated leaders who, while being experts within their domain, simply do not speak ‘technology’. Nevertheless, they have a strong understanding of the business, risks to the business, financial and reputational implications, and play a critical role in the effective oversight of the company’s cybersecurity program.
“This presents a unique challenge for a CISO trying to relay the vital importance of a robust and mature cybersecurity program, and the need for investment in it,” Hadzialjevic added. “A partnership between CISOs and their board of directors is crucial, and the effectiveness of any company’s security program depends on it.”
You can read the full paper here (email required).
- » Symantec acquires Appthority to help secure the modern endpoint
- » Communication, C-suite engagement and continuous change: Key digital transformation tips for CIOs
- » Get to grips with DevSecOps – and address security flaws much more quickly
- » Commoditising cybercrime: The rise of ransomware-as-a-service
- » How EMEA CIOs are taking the lead in digital initiatives: AI 'becoming mainstream'