In recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance, board members are being advised to prioritize cybersecurity and empower Chief Information Security Officers (CISOs) with the necessary resources to effectively address cyber risks. This guidance urges boards to foster a culture of corporate cyber responsibility where cybersecurity is not subordinate to cost, performance, and speed to market. However, this doesn’t necessarily mean that boards will immediately loosen their purse strings. Boards and executives will always be focused on the bottom line and responsible to their shareholders. Despite this, boards now face increasing liability for cyber breaches, prompting them to demand accurate and risk-based funding requests from their CISOs.
Historically, CISOs have struggled to effectively communicate important information to their boards. Chris Hetner, special advisor for Cyber Risk at the NACD, and council member on the NASDAQ Center for Board Excellence, explains that the recently updated rules by the Securities and Exchange Commission (SEC) for cyber risk management have made board liability for these risks more evident. This realization has led board directors to rally around the issue of cybersecurity threats. Consequently, CISOs now must articulate their funding needs for security programs more effectively.
Hetner emphasizes the importance of presenting cybersecurity risks in a business-focused manner. Rather than relying on highly technical metrics and reports that may not be understood by the board, CISOs should provide tailored reports that translate technical information into understandable, business-aligned metrics. Ideally, these reports should be provided on a quarterly basis. Hetner believes that by demonstrating how cybersecurity risks are being treated compared to other risks and why it matters to the business, CISOs can secure the necessary funding for their programs.
Another key recommendation from Hetner is for CISOs to seek allies within the board and executive team when making funding requests. This includes involving the Chief Financial Officer (CFO) and Chief Executive Officer (CEO) in the decision-making process, as they often have the final say. Additionally, CISOs can reach out to other influencers in purchasing and business units that will directly benefit from the funding. By enlisting support from these individuals, CISOs can better understand the business risks and frame their funding requests accordingly.
Michael Bray, CISO of the Vancouver Clinic, has successfully implemented the strategy of educating the board and executive team on their fiduciary responsibilities regarding cyber risk and funding. He emphasizes that the board is ultimately responsible for owning the risk and dictating the risk appetite. It is their duty to provide strategic direction, oversight, and governance for security best practices and spending requirements. This includes understanding risk assessments, mitigation strategies, compliance efforts, and incident response, which Bray terms “breach management” when communicating with the board.
Overall, the guidance from NACD and the Internet Security Alliance highlights the importance of prioritizing cybersecurity and empowering CISOs within corporate governance structures. While boards will always be financially focused, the increasing liability for cyber breaches has driven a shift in their attitude towards cyber threats. CISOs must now take the initiative to effectively communicate the need for funding and engage key stakeholders within the board and executive team to ensure their cybersecurity programs are adequately supported.