Cybersecurity has become increasingly prominent in the business world as a result of numerous hacking incidents affecting companies. This growing concern has placed cybersecurity higher on the agenda for many organizations, and the Securities and Exchange Commission’s requirements on cybersecurity reporting have further pushed companies to enhance their security measures. As a result, management boards are now more inclined to include the Chief Information Security Officer (CISO) or an equivalent position.
According to the 2022 Chief Information Security Officer Survey conducted by Heidrick and Struggles, CISOs already have the attention of the board. The survey revealed that 88% of CISOs present monthly reports on their activities either to the full board or to a cybersecurity board committee. This indicates that cybersecurity professionals have made significant strides in terms of influencing organizational decision-making processes. However, despite the progress made, there is still much work to be done.
It is not enough for CISOs to simply provide insights about cybersecurity that the board can understand. While this is undoubtedly an essential skill, the biggest challenge that CISOs face is demonstrating how their security processes and updates actually reduce risk in measurable and achievable ways. This emphasis on action and tangible results can be a driving force for making necessary changes in cybersecurity approaches. It also presents an opportunity to improve fundamental aspects of cybersecurity operations, such as asset management and patching, by leveraging automation and artificial intelligence.
Gaining greater support from the board can provide the CISO with the authority to introduce new security planning and processes. However, for established companies, completely overhauling existing security approaches may not be feasible. Instead, organizations should acknowledge that breaches are likely to occur and accept that traditional processes and techniques may not be sufficient to keep up with evolving threats.
Another crucial aspect for CISOs is demonstrating the impact of their actions. They must consider whether the changes they implement will yield immediate results or if their impact will be realized in the long term. Moreover, it is essential to determine whether these results are one-off improvements or opportunities for sustained gains. This information will influence how CISOs discuss these aspects with the board. While quick wins may be beneficial for public relations, they may not always effectively reduce risk. CISOs must strike a balance between achieving short-term improvements and implementing measures that yield long-term risk reduction.
For newly appointed CISOs, making changes to prioritize patching can lead to rapid improvements. Demonstrating the successful resolution of critical security issues within agreed-upon service-level agreement parameters is an effective way to exhibit proactive risk management. However, these SLAs may need to be adjusted to ensure that critical issues are addressed promptly. This data can also be utilized to negotiate lower cyber-insurance premiums by showcasing a well-managed and maintained system over time.
Furthermore, CISOs should manage expectations regarding long-term performance. As cybersecurity measures improve, the level of risk will naturally decrease over time. However, the development curve will become less steep, and the gains will be more incremental. Enhancing performance may also require higher costs, with diminishing visible returns. Nonetheless, this indicates the effectiveness of a mature cybersecurity program with a strong emphasis on risk management, albeit requiring considerable time to achieve. Setting realistic expectations around performance and risk early on will provide the necessary breathing room to continue taking action.
Gaining board-level attention is a sought-after objective for many CISOs as it enhances their career prospects and credibility. Therefore, it is vital for CISOs to emphasize their proactive approach and the successful execution of their priorities. Taking action is the most effective way to demonstrate their worth and justify the attention they receive from the board. In the words of Oscar Wilde, “The only thing worse than being talked about is not being talked about.” By actively addressing cybersecurity risks and implementing strategic measures, CISOs can prove their value and safeguard their organizations against potential threats.