Get the board on board: leading cybersecurity from the top down
“Boards are trying to get their arms around all of these different moving pieces,” said Steve Durbin, Managing Director of the Information Security Forum.
Nothing derails a company’s momentum like a major cyberattack. So it’s no surprise that security has become a regular topic at board meetings.
This was supported by a recent CIO study by Cisco, in which cybersecurity was cited as the top issue that CIOs raised to their boards, outpacing any other technology-related topic.
But are the right questions being asked in those meetings? Are the board and executive leadership teams using their influence to build cyber-resilient cultures across all corners of their organizations? And are they leveraging the right knowledge and expertise within their companies and beyond?
In a separate series of interviews, CIOs, CIOSs, CEOs, and board members revealed their best practices for shifting the fundamental perception and execution of cybersecurity. Along with their fears, which are fueled by sensational headlines around the most costly breaches.
“This topic is getting worse and worse,” a board member from an automotive manufacturer told Cisco. “I think basically people are confused, they’re worried.”
Among top-performing companies, however, a more positive vision of cybersecurity is emerging — one that goes beyond the common image of a purely defensive shield. These organizations view it as a growth driver, a key to innovation, and a competitive advantage. (Roman and medieval shields, after all, were used for defense and for pushing forward in battle.)
But for all that to happen, companies first need to get all senior leaders working — and communicating — in concert.
CIOs and chief security officers, for example, have a key role to play in guiding these high-level discussions. In many companies, however, technology leaders have yet to be granted a proverbial seat at the table. Others have gained a voice, but can’t present cybersecurity in the language of the business.
At the same time, board members and CEOs fail to assume their own, more expansive role in cybersecurity, which will be essential for maintaining brand equity and forward momentum in the face of relentless cyberthreats.
In short, cybersecurity is bigger than IT, and it’s bigger than the board or the CEO. To create a pervasive, cyber-resilient culture, security must span divisions, silos, and hierarchies.
In today’s threat landscape, the defenses, preparedness, and resolve of companies large and small are under constant siege. And that will only increase as rapidly changing technology and end-user demands upend the very assumption of a network perimeter or firewall defense.
Every organization needs to ensure that it’s firing on all cylinders, and that cyber-awareness extends to every level and across the company culture. Unfortunately, many companies are falling short. One study reported that the average security program only covers 67 percent of its organization.1
Top-down leadership is essential for creating a 100 percent cyber-resilient culture, but the board’s inaction is a key reason why many fall short.
“Boards are trying to get their arms around all of these different moving pieces,” said Steve Durbin, managing director of the Information Security Forum, “and need clear guidance from the security folks on what it is they should be doing. That for me is still one of the biggest gaps, one of the biggest challenges.”
To capture key insights on the board’s role in creating cyber-resilient cultures, and the kinds of questions they should be asking their own tech and security leaders, Cisco conducted more than 30 interviews with senior leaders — including CEOs, board members, and CIOs, all from mid- and enterprise-level firms in the United States, Asia, and Europe.