Having a BISO and making CISOs report directly to the CEO are some ways to tighten Boardroom engagement in cybersecurity stakes.
Do you agree that, when Board members of your organization are more educated and engaged in cybersecurity matters, they ask tougher questions, dig deeper into issues, and are more likely to make the leap from technical to business issues?
A study was recently conducted via a web-based survey of 365 senior business, cybersecurity, and IT professionals in North America (US and Canada) and Western Europe (UK, France, and Germany) working at midmarket (500-999 employees) and enterprise-class (1,000+ employees) organizations. It found that only 23% of organizations prioritized the alignment of security with key business initiatives.
This was despite 82% of respondents experiencing a rise in cyber threats, an expanding corporate attack surface and the fact that their business processes were more dependent than ever on technology. Despite the rapid adoption of digital transformation processes in the past year, security was still viewed as primarily (41%) or entirely (21%) a technology area.
How the Board matters
Even without a small survey, many people know that the lack of cybersecurity prioritization is particularly true in the boardroom. However, the Board now tends to be more engaged in security decisions and strategy than before, and these top executives are usually passively drawn in because of a major breach, new compliance requirements or the creation of a security program by a CISO.
According to the Trend Micro study above, 44% of respondents had indicated that their Board had limited involvement in many critical cybersecurity operations. This lack of engagement meant many boards were only prepared to fund the bare minimum to meet requirements for compliance and protection.
With that in mind, here are the key recommendations to remedy this serious challenge:
- Add a Business Information Security Officer (BISO) to improve business-security alignment
A business executive with cybersecurity knowledge could drive security at a granular level into business processes, critical assets, sensitive data, and employee roles. This would also help align security with business productivity.
- Build a top-down, measurable program to help CISOs improve engagement with the Board
Too many cybersecurity programs are haphazard and technically focused. To align cybersecurity and the business, cybersecurity programs must be top-down, formalized and documented, and highlighted by KPIs and established metrics. This will help CISOs improve engagement with business executives about the role of cybersecurity in the business, using a common language.
- Change reporting structures so CISOs report direct to their CEO
Many CISOs report to CIOs while 42% report to CEOs. The study discovered that a CISO to CEO reporting structure is a best practice for leading organizations. This makes sense as a direct reporting structure means more cybersecurity exposure for CEOs and more business input for the cybersecurity team. Thus, this is a good place for organizations to start.
Said Ed Cabrera, Chief Cybersecurity Officer, Trend Micro: “Striving for ‘good enough’ security is frankly not good enough given today’s cyber risk landscape. This report mirrors many of my conversations with CISOs highlighting that a lack of boardroom engagement can lead to poor cybersecurity, and security that is not properly integrated into business processes. We can only create a culture of cybersecurity if CEOs and corporate directors lead by example. This encourages every employee to believe they have a role in protecting the organization.”