CISOs and their Boards of Directors: Viewing Cyber Risk Differently

Image

CISOs – the senior level executives responsible for developing and implementing cybersecurity programs for corporations and other organizations – are not happy campers these days. And it’s not just because they are chronically understaffed and under constant pressure.

As it turns out, Chief Information Security Officers (CISOs) often don’t see eye-to-eye with boards of directors on a number of fronts, even though boards have been taking cybersecurity more seriously and typically ask more sophisticated questions about risk exposure and management. This further adds to CISO frustration.

Things will likely get better eventually, partly because the Securities and Exchange Commission has proposed new rules for how public companies oversee cybersecurity and information technology. In addition, research firm Gartner predicts that 40 percent of boards will have a dedicated cybersecurity committee overseen by a qualified board member by 2025 – up from less than 10 percent today.

In the interim, however, it doesn’t help that cybersecurity experts are relatively rare on boards, as are CISOs themselves. According to executive search firm Heidrick & Struggles, only 12 percent of CISOs sit on corporate boards.

Struggling to agree with the c-suite

Spending on cybersecurity is often a big debate among CISOs and members of the board. They think they need more. Boards usually do not. This disconnect is an example in which the addition of a cyber expert on the board would be positioned to give other board members better direction on the best way to judge cybersecurity spending. A cyber expert would be able to better guide board discussions about how much to spend for prevention and how much to spend for managing crises.

Disagreements and/or cloudy perceptions are hardly limited to monetary issues. According to a recent study by more than 600 board members by Proofpoint, and Cybersecurity at MIT Sloan, a group of interdisciplinary faculty and researchers focused on cybersecurity, there is a gap among boards regarding how prepared they think they are to fend off a cyberattack and their ability to actually do so.

The survey found that 75 percent of board members understand their cybersecurity risks and have made adequate investments in cyber. But almost half of them – 47 percent – also feel their organization is unprepared to cope with a targeted attack, similar to the conclusion reached by CISOs. On another front, two-thirds of board members view human error as their biggest cyber vulnerability. While a lot, it’s still much less than research by the World Economic Forum, which blames human error for 95 percent of cyber vulnerability.

Perceptions also differ regarding the alignment of boards with CISO members. More than two-thirds of board members say they see eye-to-eye with CISOs in their organizations. Conversely, only half of CISOs feel the same way about board members. Among the few cybersecurity topics that the boardroom and CISOs do agree on is email compromise, cloud account compromise, and ransomware. (On the other hand, CISOs view insiders as their top threat, while board members do not.)

CISOs are partly responsible for some of these discordant perceptions. Many directors remain only partially prepared for their role in cybersecurity oversight. But so, too, are many CISOs. Reflecting their technical backgrounds, some tend to weave too much technical language into their board conversations, sometimes leaving directors scratching their heads in bewilderment. Many also aren’t good at translating cybersecurity threats into obvious business risks.

Moreover, some CISOs, especially young ones, have been known to periodically suggest that big problems lie ahead if a request for a particular action isn’t quickly addressed, sometimes irritating board members.

Nonetheless, the aforementioned SEC proposal, joined by a similar bill in Congress, strongly suggests that that relationships between CISOs and other top cybersecurity experts and the board of directors need improvement. The SEC rules would mandate that public companies disclose whether anyone on the board has cybersecurity expertise, and how much. The thinking is that insufficient cyber expertise may put corporate investors at risk.

There are some similarities with the SEC’s action, and the Sarbanes-Oxley Act of 2002 (SOX). The latter mandated public firms to report whether a financial expert serves on the board’s audit committee. Noteworthy is that financial literacy, unlike cybersecurity, is commonplace and readily understood by board members. In contrast, most board members today are still trying to get around the ins and outs of cybersecurity. Also, most firms subjected to SOX had already had a financial expert on the board, unlike the case with cybersecurity experts.

The SEC believes that the pending cybersecurity submission will pressure boards to more carefully examine how much their boards understand cybersecurity. This is critically important. Serious cyber threats are a massive burden for most organizations, both financially, and in terms of stress and managerial downtime.

Tips to help improve the relationship

There are additional steps CISOs can take to further improve their relationships with boards, pending additional improvements down the line. Here are some of them:

Continue improving organizational security amidst heightened reliance on remote employees. Initially, most companies focused on whether their organization was capable of transitioning far more workers to a remote model and still provide adequate security. This mostly accomplished, the focus now should be mostly on the maintenance of security broadly and the investments required to do so. Quarterly updates on the threat landscape may help.

Broaden security strategy to include duties not directly under your control. A good case-in-point is reliance on third parties. Most companies rely on them heavily, and board members increasingly want to know how their corporation is being protected against third party security issues. They want to know whether security is built into every step of the supply chain and, if not, what investments are needed to rectify the situation.

Periodically remind board members that the maintenance of good security is an ongoing affair. Board members often want to know how much time a cybersecurity investment will buy the company. Answer the question, but then underscore that prolonging good security is a journey, not a destination. Security needs to evolve, making continuing investments in cybersecurity essential.

Not every director agrees that cybersecurity expertise is necessary in the boardroom. One concern is that a cyber expert on the board may prompt other directors to dodge their own duty to oversee cybersecurity risk. And, too, most boards want to appoint directors with executive experience that can benefit several aspects of the business, not someone with primarily one narrow skill. While these points are valid, more and more boards believe that value-added oversight of cybersecurity is the better idea – and this is the way it should be.

About the Author:

Image

Robert Ackerman Jr. is the founder and managing director of AllegisCyber Capital, an early-stage cybersecurity venture capital firm based in Silicon Valley. He is also co-founder and a board director of DataTribe, a seed and early-stage foundry, based in Fulton, Md., that invests in young cybersecurity and data science companies.

Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear  Technology Corp, a pioneer in the original integration of web and telephony technology.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.