Renee Murphy

Distinguished Evangelist

How engaged CISOs boost overall organizational security: 4 steps to take

This month's special edition of the Diligent Minute features insights from Renee Murphy. Renee shares her take on the latest findings from Diligent Institute and what they mean for the board, C-suite and senior leaders. Subscribe here.

Companies with advanced cybersecurity ratings create nearly four times the amount of value for shareholders as companies with basic security ratings, according to a report from Diligent Institute and Bitsight. This empirical data reveals that the average cybersecurity rating of companies with a cyber expert on both the audit and the specialized risk committee is a very respectable score of 700. Companies without a cyber expert on either the audit committee or the specialized risk committee is a significantly lower 580.

For the uninitiated, cybersecurity ratings are like credit scores: The higher the score, the better. So, you might ask, what are some of the factors that have the most impact on an organization’s cybersecurity score? One key factor is the engagement level of the CISO.

While this might already be an accepted convention in security teams everywhere, the Diligent Institute and Bitsight research is the first time we have seen the correlation between the engagement level of the CISO and the overall security of the organization.

To be better engaged in the organization, and in turn help elevate the organization’s cybersecurity score, CISOs can take these four actions:

1. Embrace cybersecurity risk committees because they are worth the effort. Anyone who has worked in an organization large enough to require committees knows that they are a challenge all their own — especially when it comes to security risk meetings with the business. Bringing product, finance, human resources, facilities and others together to discuss their security risk and accept their responsibility in the mitigation strategy takes a level of political will that few CISOs are accustomed to wielding. The key is in making sure the culture of the organization is reflected in any program requested by the committee. I once had a security team say they need to have a program that is fast, friendly and fun — that was the corporate mission. So, we created a cross-functional cybersecurity program that reflected that culture.
2. Work with audit to participate in audit committee work. If you are wondering why this is not a default for organizations, it is to preserve auditors’ independence. Sometimes referred to as letting the patients run the asylum, using your own security team to test their own work is decidedly not in the audit handbook. However, working with audit on the security risk affecting the organization allows them to scope their audits appropriately. With appropriate scoping, CISOs can bring to light the gaps in the security program and work to close those gaps with the help of the audit and compliance teams, and report that up to the audit committee. If I can impart anything on a CISO, it's that your internal auditor is your ally, not your adversary.
3. No, trust me. You really do want to work with audit. With the CISO’s fate tied to the board in the U.S., and as cyber regulations increase worldwide, working with audit will go a long way in ensuring that the business and security are aligned and working correctly. If you are a CISO and you are not leveraging your audit community, you are working too hard on compliance. Don’t test your own controls; that is a job for internal audit. Don’t wait for the audit cycle to get feedback on policy and standards;engage audit early and often for guidance and feedback. They can maintain independence while keeping you from driving off a cliff.
4. Use ITGRC as a framework to coordinate these efforts. Ultimately, ITGRC (information technology governance, risk and compliance) is the key to a CISO’s successful execution of strategic priorities. All the board-level strategies highlighted in Diligent Institute research have security risks that require mitigation. But there are also good opportunities for improved employee experience, improved customer experience and upside in other parts of the business. An engaged CISO can use ITGRC to help execute on the board’s strategic priorities. This has the dual benefit of helping the board achieve their priorities (always a good thing!) and engaging the CISO in more aspects of the business. 

And that has the follow-on effect of helping elevate the company’s cybersecurity score at the same time. It’s a win for the CISO and a win for the company.

Read the full report from the Diligent Institute and Bitsight: Cybersecurity, Audit and the Board.