CISOs grapple with board communication challenges amid economic downturn
The presence of cyber risk on the board table has become increasingly prevalent as high-profile data breaches continue to disrupt operations. While CISOs no longer struggle for priority among other business functions, effective communication remains a persistent issue that hampers progress in the boardroom.
This challenge has become even more significant in light of the economic downturn. As the global economy slows down, organizations scrutinize the people, processes, and technology that constitute a security leader’s risk posture. In times like these, difficult questions are asked regarding priorities, and CISOs must justify their allocation of resources.
Given this backdrop, it is crucial for CISOs to communicate with the board effectively. A common language is necessary, especially as the organization focuses on critical aspects such as operational uptime, customer trust, reputation, regulatory compliance, and revenue generation. Discussions must revolve around operational risk rather than solely cyber risk. It is important to highlight that seemingly small cyber risks can have significant macro-level impacts, even if the technical details may seem disconnected from the organization’s operational concerns.
A noteworthy example is the Colonial Pipeline incident, where the shutdown resulted from compromised billing infrastructure and concerns about lateral movement into critical areas, rather than a direct attack on operational technology systems. Convincing the board in advance about the potential implications of seemingly tangential risks requires storytelling skills that highlight the big picture while incorporating technical nuances without sounding like a scaremonger.
Furthermore, security leaders facing challenging economic cycles must effectively articulate and defend the finer details of their investment priorities. As cost savings become a focus, the security function comes under scrutiny, particularly in terms of operational expenditure (OPEX). To address this, CISOs should break down the cost of security initiatives and demonstrate the risk reduction benefits associated with each investment. This can be facilitated through the use of risk frameworks, which provide a comprehensive view of how various security initiatives align to secure operations. Emphasizing the return on investment for initiatives like identity programs, which offer broad protection against cyber-attacks, can help build a compelling case for security initiatives.
Protecting the workforce is another crucial aspect of the cost argument for risk initiatives. During tough economic times, organizations may be tempted to reduce headcount for immediate cost savings. However, this shortsighted approach may result in significant losses when the economy rebounds. CISOs should position their people as a cost-effective defensive investment rather than an overhead, highlighting the value they bring to the overall security posture and the potential consequences of eliminating key roles.
In addition to framing communications in business terms, CISOs must prioritize stakeholder management when communicating their cyber risk strategies. Understanding which members of the senior team have influence over budgets and strategy is essential. By involving these stakeholders early in the decision-making process, CISOs can ensure joint ownership of proposed strategies and initiatives. Clear and transparent conversations about the role of cyber risk in different operational areas can help prevent misunderstandings and alleviate potential friction.
The challenge of communicating with the board is not a new one for senior security leaders. The industry has made significant progress in recent years, but current market conditions add additional pressures to justify resources. Collaboration, business-centric communication, and strategic investment allocation are key to weathering the economic downturn. By taking the time to educate key stakeholders and presenting risk strategies in a clear and actionable manner, CISOs can navigate the boardroom with greater ease.
About the Author
Tim Fleming, a Strategic Advisor at Silverfort, brings extensive experience in the IT sector to assist organizations with technology challenges. After retiring from Deloitte, Tim now works as a consultant and advisor in cybersecurity and CIO advisory, including IT strategies and operations.
Tim’s expertise is particularly valuable in industries such as media, finance, and professional services. Currently, he collaborates closely with Silverfort Inc, a cybersecurity software provider known for its unique approach to identity and lateral movement protection.
To connect with Tim, visit his LinkedIn profile (https://www.linkedin.com/in/tim-fleming-60651937) or the Silverfort website (https://www.silverfort.com/).