Gartner predicts that by 2026, 70% of boards will include one member with cybersecurity expertise.
In the meantime, however, CISOs need to acknowledge that this is important to the board. This means not only showing how the cybersecurity program prevents bad things from happening. But perhaps more importantly, how cybersecurity improves the enterprise’s ability to take risks effectively. Even better, how to use cybersecurity as a competitive advantage.
Gartner recommends CISOs get ahead of the change to promote and support cybersecurity to the board and establish a closer relationship to improve trust and support.
Importance of cybersecurity culture
EY says cybersecurity culture is about ensuring appropriate intrinsic beliefs (attitudes, normative beliefs and perceived control to perform a task) and behaviours throughout an organisation. In so doing, the right risks are addressed, employees at risk are identified, and the means to reduce these risks are defined.
Alex Tilley, head of threat intelligence for Asia Pacific and Japan (APJ) at Secureworks acknowledges that security is everyone's business. While acknowledging the massive investments in security technology, what is just as important is recognising the threats and understanding where the company stands.
He opined that in an organisation that has a security culture in place, people are not afraid to acknowledge that cybersecurity-related mistakes may have happened.
"Where we sit as an organisation in the world, all the way down to individual staff members and how they conduct their day-to-day business, things like phishing. These days it is around security culture, around being supportive and not punitive," he continued.
The CISO and the board
Richard Addiscott, a senior director analyst with Gartner, says increasing board oversight mandates board members attend to cybersecurity as part of their governance and oversight activities. This trend will require additional cybersecurity expertise on boards going forward.
Tilley says boards are responsible for the reliability of the business. "Increasingly, they are seeing these bad things happening to their peers around the world, and they are asking questions of their CISOs," he added.
"What are we doing to not become that headline? What is our (security) program? How are we moving our (security) program forward?"
Alex Tilley
He believes the query from the Board will only get bigger, and more in-depth, and the questions funnel to the CISO, who in turn will have questions for their security staff.
Becoming the trusted advisor
Tilly says the CISO needs to become that trusted advisor to the board. "The foundational relationship with the board needs to be established before a bad happens. "You don't want to be going in there when the bad days happening and trying to form a relationship. You want to start these little discussions early to help them understand what you are doing and how you are driving the business forward," he opined.
With the increased incidents of breaches, Tilley says CISOs are given the opportunity to engage other departments including HR, legal and marketing. He suggests the CISO use these to make connections.
Engaging in discussions around security, Tilley recommends that CISOs practise the discussion with non-security and non-technology staff.
"Be willing to process the feedback and revisit those discussions just to make sure that you are really clear in what you're trying to get across," he concluded.
Click on the Podchat player and listen to Tilly share his recommendations on how CISOs can take cybersecurity to the board, and secure buy-in in the process.
- Define for us what is a security culture. Why and how important is having a security culture in today's digital world?
- Who should lead the adoption of a security culture in the organisation?
- Gartner predicts that by 2026, someone sitting on the board will likely have cybersecurity expertise. In the here and now, however, how would you describe the relationship between CISOs and the board? Do they recognise that they need each other?
- From the CISO's perspective, can you name steps that the CISO needs to work on to build a foundational relationship with the board? What works and what hasn't?
- Can you share some tips for creating a board presentation agenda that will help CISO establish his or her role as a trusted and credible leader?
- Conversely, what must the board do to help establish/acquire the trust of the CISO (and the rest of the executive suite)?
- Any advice for boards, security professionals and C-suite as regards the cyber threat landscape in 2023 and beyond?