Company boards know they have to take cybersecurity seriously, yet, in practice, this is still often not the case.
According to Board Surveys, just over half of board members over 55 are confident about covering cyber risks. Yet, board members and directors under 55 disagree with this perception, suggesting that there might be a misunderstanding about what constitutes proper risk mitigation.
More evidence suggests that boards have less grasp on cyber risks than they perceive. A Harvard Business Review survey notes that, despite such high confidence levels, 65 percent of directors fear there will be a material cyberattack on their companies within the next 12 months. That same survey also finds that fewer than half of board members see their CISOs regularly, often only during board presentations.
“Boards might be getting the message to take cybersecurity seriously, but they often still don’t know what that requires,” says Gerhard Swart, chief technology officer at cybersecurity company, Performanta. “Something is getting lost in the communication, and there are perception issues. The board and CISO are often not on the same page.”
Building better understanding
Two strategies can close the gap between boards and their security duties. The first is to build closer personal bonds between board members and CISOs, and the second is to change how boards understand security issues.
CISOs are often not allowed to interact with board members outside some formal channels. They typically only interact with boards during formal presentations or through board committee activities, so there are few chances for them to understand each other on a more personal level.
“Security is complicated and one of a CISO’s responsibilities is to fit that complexity around their company’s risks. There isn’t a definitive checklist that you just follow and all the security pieces fall into place. It’s as much a philosophy as it is technical, and the CISO’s personality and experience will determine that philosophy. If all the board sees is an executive who gives them reports and performance indicators, but they don’t get to know the person, they miss out on a lot of nuance,” says Swart.
Likewise, a CISO who doesn’t respect the personalities and outlooks of board members will struggle to convey those nuances. It does not help when the CISO does not report directly to the board and remains obscured behind another executive.
“It’s quite normal for a CISO to report to a CIO or CFO, and that’s not necessarily a bad thing. But if the CISO is being prevented by the organisation chart to talk directly to the board and engage with them through different opportunities, that will lead to problems.”
How to see security differently
One of the primary problems is a misalignment in measuring security investments. HBR reports that though 65% of board members expect a serious cyberattack within a year, fewer than 55% of CISOs agree. To add confusion, 76% of board members feel they have made adequate security investments, which is often not the case.
Perhaps most telling, only 67% of boards think human error is the biggest cybersecurity threat (numerous industry studies put that figure closer to 90%). Boards may understand they are responsible for cybersecurity, but many still don’t grasp it on a functional level.
“A big issue is that boards look at cybersecurity as technical and not business, so they try to solve it in technical ways. Just procure the systems we need, hire the right people, and have them do their job. Problem solved! But they fail to appreciate that, while all those steps are valid, it’s as much about the design and culture around cybersecurity,” says Swart.
“Are the security systems they use actually meeting their business requirements? Do they look at security as just a technical risk or also a risk inherent to their people, operations, and culture? Are they trying to mitigate risks, or are they focused on building resiliency? Or do they just see a list of risks and a budget that needs approval?”
CISOs must change those perceptions, which is why they need the opportunity to cultivate a more direct and personal understanding with board members. They can also take the initiative and bring more security insight to the board in terms the latter can appreciate and use.
“If your board has not yet undergone cybersecurity training, start there. This has two sides; introduce each board member to personal security habits so they can appreciate the risks in the context of their personal lives. The other side is integrated training where you bring security professionals and risk managers to them at the same time, demonstrating how these disciplines overlap. Boards think in business terms, so show the business links with cybersecurity,” says Swart.
Focus on communication
Other advice includes that CISOs should be available to boards or provide ways for them to get answers. ‘The problem is board members usually have limited time and the wrong questions. You must give them context to work with. That means giving them reliable channels to make security-related queries,” says Swart.
Providing more communication channels and encouraging closer links between board members and CISOs can have an extraordinary effect on security awareness. Board meetings are often too short to get into substantial security topics, not even security education, and some members might even shy away from asking specific questions for fear of looking stupid. The way to make boards appreciate security topics is by bringing security experts such as the CISO closer to them.
“It is possible to introduce ways for the two sides to communicate. It’s like that red telephone you see in movies on a president’s desk. You need a hotline between the board and security. That’s the way to cut down the confusion that is holding boards back from making the best security decisions,” says Swart.