A recent Deloitte study disclosed that a meager 38% of Chief Executive Officers and 23% of board members were “highly engaged” in the subject. This isn’t surprising—business executives and corporate directors have long perceived cybersecurity as highly cryptic. Sadly, most executives are only forced to participate in cyber resilience by a damaging cyber breach.
Meanwhile, regulators keep tightening pressure on corporate directors to ensure their cyber governance mechanisms are effective and fit for purpose.
Cyber resilience can only be achieved when the most senior business officers are deeply engaged in strategy setting and execution and for this, CISO training is critical.
Based on our interactions with cyber leaders who go through our Cyber Leadership Program, there is a rising interest from the board and C-suite, keen to gain deeper insight into cyber risk and its implications to the business value chain. Despite the enthusiasm, however, corporate directors find themselves frustrated this time around with complex cybersecurity reports and vain metrics. We provide two practical tips to close this gap.
Align cyber strategy and risk management to corporate goals
To address this enduring challenge, cybersecurity professionals should raise their game, move away from numbing cybersecurity vocabulary, and learn to speak the language of the businesses they work with. Boards of directors have very limited time at their disposal and are not comfortable discussing ISO 27001 reports or NIST standards. Rather, they are concerned about how cyber risk will impact new product success, business growth, the cost of capital, innovation, customer trust, profitability, and other crucial business priorities. To get this right, Chief Information Security Officers (CISOs) must develop an in-depth understanding of business operations, value chain, strategic priorities, risk appetite, and regulatory environment.
This also requires CISOs to be provocative storytellers replacing “tech talk” with relatable analogies to persuade the board and executive management to act. Risk maps and detailed metrics are not enough. As Harrison Monarth wrote in the Harvard Business Review, “Data can persuade people, but it doesn’t inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul.”
Encourage board-level cybersecurity conversations
As we have emphasized before, cyber resilience can only be attained when the board and C-suite are fully engaged in the cyber transformation agenda. The best way to align the cybersecurity function and the board is to give the CISO direct access to the board. That way, the board can ask key questions and gain undiluted visibility into the enterprise’s key risks and strategic priorities. An alternative approach for boards that lack technical expertise is to invite outside management consultants with proven ability to inform the board if they are over or underspending cybersecurity. Some of the key questions the board should ask include:
- What are our high-risk information assets, and do they have appropriate cybersecurity defenses? (For example, are they running on vendor-supported infrastructure updated with the latest security patches?)
How do our cybersecurity capabilities, resourcing, and spending compare with industry peers?
- What are our current cybersecurity strategic initiatives, and how do they support the overall mission? Are they aligned with enterprise goals to account for current and future needs?
- How effective are our cyber breach response capabilities, and have they been tested?
- How effective are our cybersecurity assurance procedures of key business partners (especially those charged with handling sensitive information or connecting to the corporate network)?
- How does the residual enterprise-level, cyber-risk rating compare with our board-approved risk appetite? What activities are in place to reduce our business risk exposure?
- What were the top data breaches and other cyber-attacks in our industry, and how has the business applied lessons learned from those incidents?