How CISOs can prepare their boards for cyber risk

Cybersecurity presents companies and organisations of all types with a rapidly shifting threat landscape. Criminals create new risks and attack vectors, and revise old schemes; and no technology, no matter how good, can guard against ‘social engineering’ and scams.

Do boards need help getting a handle on cybersecurity? Yes, they do. Typically, the responsibility for delivering this help lies with Chief Information Security Officer (CISO), whose role includes helping boards to understand technology risks, evaluate solutions and measure outcomes.

Appointing a CISO does not to absolve boards and directors of their responsibilities – far from it. But to carry out their duties and fulfil their strategic roles, their CISOs must be providing them the information and knowledge they require.

Communication is the key

Every CISO should regularly update their board on incidents, attacks, breaches, mitigation strategies, new technologies and new opportunities. The Advanced Cyber Security Center (ACSC) notes in its recent report Leveraging Board Governance for Cybersecurity that while boards have a strategic role in cybersecurity, they must rely on the CISO to help them bridge any gaps in their knowledge – which, in some cases, can be considerable.

To this end, CISOs should supply regular updates, engaging the board around risk priorities and explaining cyber risks in their proper operational and strategic contexts. Updates should help boards to determine:

  • Are board decisions impacting cyber risk decisions?
  • Can strategic discussions be reframed to include cyber risk?
  • Are cyber risks considered when making investment decisions?
  • Where does responsibility for cyber risk lie?
  • Are cyber risks considered early in development and acquisitions?
  • Is there a committee that meets at least quarterly?

If the answer to any of the above is ‘no’, ‘not enough’ or ‘not yet’, then it similarly falls to the CISO to assist the board in determining and implementing an appropriate strategy to clarify, improve or resolve.

The advantages of Modern Governance

Ultimately, these are all questions of governance, and CISOs require effective tools to meet their responsibilities. Company culture is critical, of course – the board must lead the way in creating an organisation-wide culture that’s risk-aware and cyber-savvy.

But there’s no doubt that technological risks require technological solutions. In addition to firewalls, anti-virus software and other security measures, CISOs require a Modern Governance platform if they’re to offer their organisation the full benefit of their skills and experience.

‘Modern Governance’ is an approach to corporate governance that relies on a unified software suite to provide the tools and capabilities needed to ensure compliance, information supply and board functionality.

These tools for good governance include secure communications and collaboration, board papers, note-taking, voting, data analytics and more. They make information and insights easier to access and will ensure CISOs and boards can fully discharge their duties.

Board expertise

Looking to the future, boards should look to appoint new members with expertise in cybersecurity, or at least with enough general technological savvy to be able to understand – and if necessary, interrogate – their CISO’s recommendations.

The ACSC’s report noted that “Most boards do not yet have sufficient expertise in technology or cybersecurity to serve as strategic thought partners on cyber risk”. It’s alarming that just short of two-fifths (38 per cent) of respondents indicated their boards saw cyber risks as only “somewhat significant”.

Downplaying cyber risk is dangerous considering how easily, and how quickly, cyber-attacks and data breaches can overcome or bypass IT security measures and cripple even the largest organisations.

Existing board members should be educated – by the CISO or a trainer – and their knowledge should be regularly updated. Cybercrime is always evolving, and cybercriminals are always trying to get one step ahead of their targets. Boards need to stay current or risk becoming their organisation becoming a cyber-crime statistic.

Financials and business outcomes

To give cybersecurity its rightful prominence, it should exist as a separate category in the company’s budget, not just as a line item in the IT budget. Doing so will ensure it receives enough budget (and boardroom mindshare) to be effective.

Investments in staff, training, hardware, software and services are needed. To ensure a return on this investment, link expenditures to governance, security and compliance outcomes, and business objectives.

Similarly, create suitable metrics to measure your cybersecurity scheme’s effectiveness. Some should be operational, such as attacks stopped, compliance reports completed, or time lost to security incidents. Others should be strategic, such as identifying and mitigating new and emerging risks.

By adopting a technology-based, end-to-end approach to corporate governance, boards can significantly reduce the risk of their organisation falling victim to cybercrime. It’s ultimately their responsibility, but it’s up to CISOs to give them the tools and knowledge they need.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog