In today’s digital landscape, cybersecurity is no longer an afterthought – it’s a critical concern for businesses of all sizes. However, a concerning disconnect persists between company boards and their Chief Information Security Officers (CISOs), hindering effective risk mitigation strategies.
According to Board Surveys, just over half of board members over 55 claim confidence in addressing cyber risks. Shockingly, their younger counterparts disagree, suggesting a fundamental misalignment in understanding what constitutes proper cybersecurity measures.
No ad to show here.
Gerhard Swart, Chief Technology Officer at cybersecurity company Performanta, sheds light on this disparity: “Boards might be getting the message to take cybersecurity seriously, but they often still don’t know what that requires. Something is getting lost in the communication, and there are perception issues. The board and CISO are often not on the same page.”
The Harvard Business Review survey paints a grim picture, with 65% of directors fearing a material cyberattack on their companies within the next twelve months. Alarmingly, fewer than half of board members regularly interact with their CISOs, often only during formal board presentations.
Building Bridges Through Communication
Swart proposes two strategies to bridge this gap: fostering closer personal bonds between board members and CISOs, and reshaping how boards comprehend security issues.
“Security is complicated, and one of a CISO’s responsibilities is to fit that complexity around their company’s risks,” explains Swart. “There isn’t a definitive checklist that you just follow and all the security pieces fall into place. It’s as much a philosophy as it is technical, and the CISO’s personality and experience will determine that philosophy.”
When boards solely witness CISOs through formal reports and performance indicators, they miss out on crucial nuances. Conversely, if CISOs fail to respect the personalities and outlooks of board members, conveying those nuances becomes an uphill battle.
Reframing Cybersecurity as a Business Imperative
A primary issue is the misalignment in measuring security investments. HBR reports that while 65% of board members expect a serious cyberattack within a year, fewer than 55% of CISOs agree. Compounding the confusion, 76% of board members feel they have made adequate security investments, which is often not the case.
Swart emphasises the crux of the problem: “Boards look at cybersecurity as technical and not business, so they try to solve it in technical ways. Just procure the systems we need, hire the right people, and have them do their job. Problem solved! But they fail to appreciate that, while all those steps are valid, it’s as much about the design and culture around cybersecurity.”
CISOs must change these perceptions by cultivating direct, personal understanding with board members. They can also take the initiative and bring more security insight to the board in terms they can appreciate and use.
“If your board has not yet undergone cybersecurity training, start there,” advises Swart. “Introduce each board member to personal security habits so they can appreciate the risks in the context of their personal lives. The other side is integrated training where you bring security professionals and risk managers to them at the same time, demonstrating how these disciplines overlap. Boards think in business terms, so show the business links with cybersecurity.”
Fostering Continuous Dialogue
Swart recommends providing more communication channels and encouraging closer links between board members and CISOs. “The problem is board members usually have limited time and the wrong questions. You must give them context to work with. That means giving them reliable channels to make security-related queries.”
Introducing ways for the two sides to communicate can have an extraordinary effect on security awareness. Board meetings are often too short to delve into substantial security topics, and some members might shy away from asking specific questions for fear of looking uninformed.
“It is possible to introduce ways for the two sides to communicate. It’s like that red telephone you see in movies on a president’s desk. You need a hotline between the board and security. That’s the way to cut down the confusion that is holding boards back from making the best security decisions,” concludes Swart.
As cyberthreats continue to evolve, bridging the communication gap between boards and CISOs is crucial for organisations to stay ahead of the curve. By fostering a deeper understanding of cybersecurity’s nuances and its business implications, companies can fortify their defences and navigate the digital landscape with confidence.