Aligning Strategies: CISOs, Boards, and Cybersecurity Risk Programs 

Sekhara Gudipati and Michael Salihoglu
| 9/19/2019
Aligning Strategies

According to a January 2019 survey by The Conference Board, U.S. CEOs believe that cybersecurity is their biggest external business worry, followed by new competitors and risk of a recession. While all personnel share the responsibility of securing an organization’s assets and customer data, the onus lies heavily on senior management, and more specifically on the organization’s board, to understand the need for and importance of cybersecurity and to establish and maintain financial support for a robust program.

Awareness and recognition of cybersecurity among boards is increasing, but many organizations still struggle to support and adequately fund their cybersecurity programs. In some cases, this disconnect can lead to challenges for chief information security officers (CISOs) and the role they play in organizations.

Common patterns

When determining the root causes of the challenges CISOs can encounter, a few basic patterns of CISO-board relationships emerge. Generally, organizations fall into one of three categories: struggling, maintaining, or succeeding.

Struggling. In struggling organizations, CISOs attempt to manage their cybersecurity programs with limited or no board support. They lack clarity and executive-aligned direction in their roles. Because CISOs are focused on managing incidents and breaches reactively, they face consistent issues over time, such as slow remediation. Boards of struggling organizations often find that they are not properly informed on cybersecurity-related issues. One reason for this lack of information might stem from a dearth of CISO presentations or scant board questions during CISO presentations that do take place.

Maintaining. CISOs in maintaining organizations receive support and funding from the board, but they still are challenged to prove the program’s value. Like their counterparts in struggling organizations, maintaining-category CISOs find themselves playing “whack-a-mole” or “firefighting” and reacting to events instead of preempting them. Overall, they fail to make progress on big-picture needs of the organization, such as embracing the continual digitalization of processes and data, leveraging automation, and exploring newer technologies such as multifactor authentication and cloud computing.

Succeeding. CISOs in succeeding organizations are continuously improving the cybersecurity posture of the organization, thereby gaining recognition and respect in the organization. They embrace new solutions to make the organization more efficient, accessible, and resilient for customers. They use enablement technologies such as cloud computing and take advantage of process automation. Succeeding CISOs present to the board regularly – ideally quarterly – and conduct interactive conversations with board members. They also empower leaders in the business to take ownership of cybersecurity functions within their purview.

Succeeding CISOs recognize that their role has evolved beyond IT and into operational enablement and mission support. Additionally, succeeding organizations accept the responsibilities of perpetual information security, and they continually rely upon the CISOs’ strategic vision.

Communication is critical

For boards and CISOs that want to align strategies, communication is critical. Productive, reciprocal, and communicative relationships can begin with a series of questions and answers. For example, boards often have similar questions when it comes to establishing, supporting, and improving cybersecurity programs. Questions can include:

  • Why do we need a cybersecurity program?
  • What should we be worried about?
  • What are we doing to stop bad actors?
  • Are we fulfilling our obligations to remain in compliance and avoid fines?
  • Why do we need to spend so much?
  • Are we spending enough?
  • How did this incident happen on our watch?
  • What are we doing to remediate this situation?

Constructive dialogues between boards and CISOs about these and other questions can help establish successful channels of communication. Then, with communication channels open and healthy, CISOs and boards can develop focused strategies to establish, support, and improve their organizations’ cybersecurity risk programs.

Boards and CISOs in alignment

When effective communication is in place, a strategic plan for establishing, maintaining, and improving a cybersecurity program can be implemented. Along the way, boards and CISOs alike have responsibilities to make sure they are working together to protect their organizations.

Roles and responsibilities

CISOs are, of course, focused on cybersecurity. But they need to have both an IT and a business perspective to establish cybersecurity risk programs and explain how cybersecurity risk affects reputational, financial, strategic, and operational risk. CISOs should understand business objectives and business risks, and they need to explore opportunities to gain a competitive edge and indirectly support business growth. For example, CISOs can showcase cybersecurity as a new business opportunity and capability.

To fully support their CISOs, boards must acknowledge that cybersecurity is not just an IT risk but a business risk as well. Boards must add cybersecurity onto their agendas and allocate the necessary time to discuss it. They should also take advantage of opportunities to educate themselves on cybersecurity risks. Boards must recognize that the CISO role is continuously evolving and that successful organizations benefit significantly from involving CISOs in critical business decisions such as merger and acquisition efforts and business expansion. They should also recognize that there is no such thing as “100% protected” when it comes to cybersecurity and their organizations.

Risk demonstration and communication

CISOs must use a combination of quantitative and qualitative metrics to communicate risk and business implications to the board. They should recognize perfection is the first enemy in implementing risk quantification, because no 100% accurate risk quantification exists. Iterative implementation and continuous reevaluation can improve risk quantification over time. CISOs can also explain the complexity of cybersecurity risk with motives, evolving means, and never-ending opportunities for bad actors and translate that complexity in terms of revenue, cost, and risk.

Boards should recognize the challenges involved in explaining and demonstrating cybersecurity risk and encourage CISOs to develop quantified risk management metrics where possible. They should ask for metrics that describe cybersecurity risk in a way that they can understand and ask questions to build on that understanding. Ultimately, boards and CISOs must work together to create a risk appetite level to scope the cybersecurity risk program appropriately.

Regulatory requirements and complexity

CISOs need to be fully aware of regulatory requirements related to the company’s business and clearly align the cybersecurity program objectives to both ensure compliance and align with business objectives.

In the same way, boards must understand the legal and regulatory implications related to the company’s business and provide necessary budget approvals for CISOs to plan the required programs.

Balancing cybersecurity risk management and cost

CISOs should balance strategies for both technology and business for the cybersecurity risk program. On one hand, the program must cover protection, detection, and response. On the other hand, CISOs must consider cost, value, and level of risk reduction.

Likewise, boards need to understand the importance of all facets of cybersecurity and its impact on business instead of focusing only on asset protection. They should also recognize that compromising high-value or sensitive assets negatively affects growth from new and existing customers and exposes the business to the financial burden of a breach.

Ownership and accountability

To minimize or avoid penalties – especially when a breach happens – CISOs should be able to clearly demonstrate to regulatory bodies and law enforcement the due diligence and due care exercised. They should continuously update leadership about potential risks and mitigations as well as actual incidents and breaches. Problems and areas of concern should always be followed by plans of attack and requests for management action.

Everyone shares the responsibility of securing an organization, so in response to a breach, boards should not simply fire their CISOs. Too often, boards might blame CISOs for incidents even when the right support and budget to harden the breached systems were not provided. To move forward proactively, boards should understand accountability and not only support but insist on the next steps to remediate the problem.

One more time: Communication is critical

When boards and CISOs develop and maintain productive communication, the organizations they serve become stronger and more resilient. Given the likelihood of an incident or breach – remember, it’s when, not if – strong CISO-board relationships are vital to any organization’s success.