Why Boards of Directors and CISOs Should Work Together More Closely

Cyberattacks are among the most significant threats organizations face, and boards of directors are taking notice. Not long ago, boards had limited awareness of cyber threats. Today, 77 percent of board members say cybersecurity is a priority, according to a new study conducted by MIT Sloan’s research consortium.

In fact, board members are more likely than chief information security officers (CISOs) to believe their organizations are at risk. The study found that 65 percent of board members think their organization will experience a cyberattack that materially affects the business within the next year. Just 48 percent of CISOs agree.

Boards and CISOs are in greater alignment when it comes to the biggest cybersecurity threats. Email fraud, cloud account compromise, ransomware attacks and supply chain attacks topped the list for both board members and CISOs. About half of board members and CISOs agree that their organizations are unprepared for these attacks.

Interested In Learning More?

Untitled design - 2022-10-14T131909.867.png

Improving Communication

Boards have also changed their view of the CISO, from overseer of the cybersecurity infrastructure to an enabler of resilient business operations. However, 50 percent of board members say that the CISO’s role is limited to making presentations. They do not bring the CISO into board meetings regularly. Furthermore, just 51 percent of CISOs see eye to eye with the board, and 33 percent of board members lack enough knowledge of cybersecurity to have an informed discussion with the CISO.

Both board members and CISOs have a role to play in closing this gap. The board should keep cybersecurity on the agenda, and invite the CISO to discuss trends. Because they have a fiduciary duty to protect the organization’s assets, board members should seek the CISO’s advice on security strategies.

CISOs should keep board members apprised of the types of cyberattacks that pose the greatest risk and the potential cost to the business, presenting information free of technical jargon. They should also be prepared to answer business-focused questions and provide recommendations on cybersecurity investments that can help reduce risk.

Untitled design - 2022-10-14T132143.113.png

Focus on Investment

When recommending those investments, CISO should explain how the security tools can help detect, contain and eliminate threats, and compare the cost of prevention to the potential cost of a security breach. Ideally, the CISO should provide data that shows how the security investments will deliver value to the organization as part of an overarching security strategy.

Many board members will have to adjust their thinking about security spending. The MIT Sloan survey found that board members are most concerned that a security breach will cause exposure of sensitive data, reputational damage and lost revenue. CISOs worry more about business disruption, and need to help board members understand the strategic importance of adequate funding for cybersecurity measures.

Of course, the most significant challenge in many organizations is a lack of resources and expertise. In many cases, cybersecurity leaders are already struggling to keep up with existing threats. They could benefit from outside guidance and an independent, third-party perspective.

How DeSeMa Can Help

DeSeMa offers virtual CISO services that give organizations access to seasoned cybersecurity executives who can help develop a comprehensive security strategy. They provide unbiased guidance that helps cybersecurity leaders make more-informed decisions. What’s more, they possess that rare combination of deep technical expertise and business acumen, enabling them to facilitate communication between IT and boards of directors.

Our consultants will perform a thorough assessment of the existing environment to understand what security tools are in place and identify gaps and weaknesses. In many cases, we find that the organization could resolve many issues by utilizing existing tools more effectively.

Cybersecurity has become a board-level priority, but there remains a disconnect between board members and security leaders. DeSeMa can provide guidance that helps CISOs and board members work more closely together to reduce risk.