CISOs, Welcome to the Boardroom: Here’s What You Need to Know

This month, PacketWatch CEO Chuck Matthews explores how the role of CISO has changed and how they can have better conversations with their CEOs and Board of Directors.

Increasingly, Chief Information Security Officers (CISOs) are invited to participate in discussions directly with business leadership and the Board of Directors. The trend will only increase in 2024 as new cybersecurity regulatory rules from the Securities and Exchange Commission (SEC) take hold.

As such, CISOs need to understand their evolving role and how to communicate with nontechnical business audiences.

The Evolving Role of CISO

Recently, Splunk published The CISO Report based on a study of 350 CISOs/CSOs across 17 industries in 10 countries. The report provides some insights into the evolving dynamics of the CISO role:

86% responded that the CISO role seems like it’s almost a different job from when they started.

One notable trend is CISOs shifting to reporting directly to the CEO (47%) instead of the CIO (40%). This change represents a new challenge for CISOs – how to speak to business leadership effectively.

Closing Communication Gaps

Understanding the CEO and Board of Directors’ top priorities and concerns is paramount to be an effective CISO. Differences in perspectives can lead to communication gaps and hamper necessary advancement and maturity in an organization’s cybersecurity.

Bridging the communications gap is key to a CISO being more successful with these new audiences. Look at the varying perspectives between CISOs and board members on defining top success factors for a cybersecurity program pointed out in the study:

The CISO’s “new boss”, the CEO, is most interested in identifying and managing risk.

Additionally, the CEO reports to the Board of Directors, which oversees the business and regulatory compliance.

The one thing both parties seem to agree on is the ability to purchase cyber insurance is high on the list.

What does that say about their confidence in the CISOs ability to protect the organization?

Is it just a third-party validation by the Board? Or a vote of no confidence?

Having the Right Conversations

For many organizations, the Board receives only one cybersecurity-related presentation per year. As such, talking about best security practices to the Board will not be effective for the CISO.

A Harvard Business Review study titled ‘Boards are having the wrong conversations about cybersecurity’ notes that “cybersecurity presentations to the Board usually cover threats and the actions/technologies the company is implementing to protect against them.”.

Yet the Splunk report reveals that 90% of CISOs had suffered at least one disruptive attack during the past year, and 47% had multiple damaging attacks.

Given that reality, the conversation ought to change.

If it is unrealistic to think the CISO can prevent damaging attacks, the focus should shift to how the organization can “respond and recover with minimal damage, cost, and reputational impact.”

The HBR study goes on to suggest this approach: “…instead of going into detail in a board meeting on how our organization is set up to respond to an incident, we must focus on what the biggest risk might be and how we are prepared to quickly recover from the damage should that situation happen.”

That message is one the business and its overseers, the Board, will appreciate and understand.

Conclusion

These two studies suggest that CISOs need to use their new audience with the CEO and the Board of Directors to focus their message on risk and resilience. Something is going to happen regardless of any attempt to prevent it. Utilizing messaging that resonates with the business and the Board will make the CISO more successful.

Our entire team at PacketWatch is ready to support you if you need help with your ongoing cybersecurity operations. Contact us for a free consultation.

Chuck Matthews is the CEO of PacketWatch, a US-based boutique cybersecurity firm focused on incident response, managed detection and response, forensics, and advisory services utilizing their proprietary network-based threat-hunting platform.