Author: Mark Chaplin, Principal, ISF
19 Sep 2019
To what extent are boards’ priorities part of the CISO agenda?
Effective CISOs play a vital role in the running of a successful business. Beyond protecting the organisation against ransomware, privacy breaches and theft of intellectual property, the CISOs’ contribution extends to helping the organisation identify and meet business objectives and deliver on strategy.
With extensive dependency on technology, an increasingly complex supply chain and greater compliance obligations, the CISOs’ seat at the board table is justified. Reputation and brand might even ‘hang in the balance’. Yet, according to a recent survey by Grant Thornton, almost two thirds (63%) of boards still don’t have a representative responsible for cyber security.
For many CISOs, access to the board remains limited, often with a brief attendance as part of the risk management agenda item, either for reporting on cyber risk (at best) or delivering a post-incident update (at worst). With less than 10% of the board agenda covering risk management (according to a 2018 report by McKinsey), CISOs are left fighting to gain an adequate share of any remaining time to report on risks relating to information, technology, cyber and resilience.
“I’m lucky if I get 15 minutes to report on technology and cyber risk across the organisation.”
With almost 50% of the time at board meetings spent on strategy and performance management, this alone represents a great opportunity for CISOs to make a greater contribution to the business.
Leading CISOs, who have secured their place at the board table, enter uncharted territory and can face a formidable challenge, often inheriting broader business responsibilities that encompass strategy, business performance, employee engagement and investments – common areas of attention for a governing body.
Research and engagement with business leaders, CISOs and experts in academia and government suggests a serious, yet unacknowledged, concern at the board level. A concern that might be a contributing factor to the low percentage of organisations with a CISO (or equivalent) present at the board table – an adequate understanding of technology, how it is used to support the business and the consequences when things go wrong.
“Boards have lost control of their organisation’s technology but are not prioritising the issue due to an insufficient level of knowledge required to address related concerns.”
Information, technology and cyber risk directly influence every part of today’s enterprise, and subsequently, demand attention at the board level. As a result, the CISOs’ participation at every board meeting is now a matter of priority.
Here are five steps a CISO can take to make a difference at the board table
- Embrace the organisation’s mission statement and business strategy, and use this to examine the organisation’s complete business risk landscape and corresponding opportunities being pursued.
- Create a safe and open environment in which to address board-level concerns, close knowledge gaps that individuals might have relating to technology and related risks, and establish a common understanding.
- Adopt the board’s approach to risk management, and include details about expenditure, financial losses, non-compliance costs when reporting. Seize opportunities to challenge, improve and align the management of all types of risk.
- Provide assurance through clear reporting of both risk and security performance in a manner that supports meaningful and informed decision making, always taking account of the organisation’s tolerance for adverse events and financial loss.
- Proactively engage with each member of the board, during and between meetings, to manage expectations and complement their areas of responsibility (e.g. strategy with the CEO, financials with the CFO, operations with the COO and culture with the CPO).
The Information Security Forum provides a range of best practice guidance and services aimed at meeting the needs of Chief Information Security Officers and other business leaders. Examples include:
- Engaging with the Board: Balancing cyber risk and reward
- Information Security Strategy: Transitioning from alignment to integration
- Engaged Reporting: Fact and fortitude