What 2024 board priorities mean for CISOs

In this monthly column, I’ll be sharing my thoughts on some of the latest insights from Diligent Institute and what they mean for the C-suite and senior leaders. Don't miss a single column — subscribe here.

Today I want to dive into what Diligent Institute has surfaced as some of the top priorities for boards in 2024, and what these priorities mean for chief information security officers (CISOs).

Items that top the board’s agenda should also be on the CISO’s radar. Board-level strategic risks seen through the lens of security can lead the organization in the right direction.

Risk is about context. Let’s take "The Wizard of Oz” for example. Who is Dorothy in "The Wizard of Oz”? Is she a 16-year-old girl who runs away from home during a twister? Or is she a stranger who lands in a foreign country, murders the first person she meets, is radicalized by the local government, which sends her on a quest where she radicalizes three more strangers, steals goods and services, kills another person, and then tries to escape justice by skipping town with a conman in a hot air balloon? In both scenarios, the 16-year-old is the same. Yet the risk situation is different depending on where we are (Kansas or Oz). What the board views as important, the CISO should also view as important – but needs to examine through the context of security.

According to findings from theWhat Directors Think 2024 report, published by Diligent Institute, Corporate Board Member and BDO, adding market share, streamlining the business/optimizing costs, and attracting and retaining talent top the list of strategic priorities for U.S. public company directors in 2024.

Source: What Directors Think 2024 by Diligent Institute, Corporate Board Member and BDO

Here are 5 ways CISOs can address the board's top concerns

1. MFA and SSO streamline the business and enable a secure environment with little friction. Cost management and streamlining the business are the second largest response. CISOs can enable that goal through multi-factor authentication (MFA) and single sign-on (SSO) in the enterprise.
2. Security still has a talent shortage, so retaining talent is more important than ever. Talent is the third priority for boards. Security teams need their own succession plan and strategy for talent retention. With SEC regulations holding them criminally responsible for inadequate incident response, getting professionals to take that CISO position will be harder than ever, and companies cannot be cavalier about the role anymore.
3. M&A, boards’ fourth priority, requires a security review as part of due diligence. This isn’t anything new, but the strategy is to grow through acquisition before introducing new products or services. If the strategy is acquisition, then due diligence must include a security review of the target company through a strong third-party security review process.
4. Secure customer information in new products and services. Security by design is critical, and the strongest testing and release programs include security. When it comes to reputational impacts, nothing is worse than losing customer data. Often it is hard to quantify the downside of reputational risk, but erosion of trust is worthy of consideration.
5. A secure digital transformation is the goal. Digital transformations, another high priority for boards, are great, but if you do one without a security transformation, or at least a review, you may be putting the transformation’s success at risk. Imagine using customer data in an illegal way or, worse, not securing it in a way that is appropriate. Both of those outcomes can result in a breach of data and a breach of privacy policy. The data privacy and security regulatory landscape is complicated and detailed. The financial and reputational consequences can be extremely damaging.

Ultimately, ITGRC (information technology governance, risk and compliance) is the key to a CISO’s successful execution of strategic priorities. All the board-level strategies highlighted in the What Directors Think 2024 report have security risks that require mitigation. But as you can see, these are also good opportunities for employee experience, customer experience and other parts of the business. By leveraging ITGRC to track technology and security risks and incidents, the security team can meet the needs of the business on their own terms in a language that the business is fluent in – risk management.

By using their risk management lens and putting key initiatives into a security context, CISOs can ensure that following the yellow brick road doesn’t court unseen dangers – and instead is a pathway to organizational success.

Read the What Directors Think 2024 report.