Three ways to address the disconnect between cybersecurity leaders and the board
The cybersecurity landscape is constantly changing. New attack surfaces and threats emerge seemingly every week, with the recent high-profile attacks in Australia exposing our current vulnerabilities. Responding to the fluctuating threat landscape can be exhausting for security leaders and their teams, especially when they often lack the budget, resources, and board-level support to create sufficiently robust security strategies and frameworks to protect their organisations.
In fact, a 2022 report reveals that 77% of Australian Chief Information Security Officers (CISOs) say their organisation is unprepared to detect, deter and recover from a cyber attack. It is a worrying statistic, especially considering cybersecurity affects everyone.
So, how should security leaders and boards bridge the cybersecurity disconnect and prove the immense business value in appropriately aligning time, resources and budget to its upkeep?
1. Create open and clear lines of communications
Organisations that lack clear communication are the perfect breeding ground for cybercrime; if cybersecurity professionals can't explain the risks clearly and without jargon, boards may not understand the urgency. After all, security often carries a perceived complexity, but by conveying the business risks to the board in terms everyone can understand, security leaders can overcome the complexity barrier and encourage coordination and action.
To this end, security leaders should always frame and contextualise conversations with the board. Be open and honest about the state of your organisation's cybersecurity position and how that posture impacts the overall risk the company assumes.
To generate awareness and understanding amongst the board, these conversations should follow the same framework as any other risk area, asking:
- Do we have the practices and resources in place to identify cyber risks?
- Do we set an appetite and tolerance rating for risks?
- Do we monitor and manage against risks and resource adequately?
2. Clearly define roles and responsibilities
While it's always important for boards to actively think about cyber risk, they also need to focus on overall digital resilience, of which cybersecurity is a significant component. However, boards need to consider a range of security and digital resiliency issues, which invariably intertwine and align with brand risk.
Too often, boards mistakenly try to manage cyber risk rather than governing the security leader's (and their team's) management of risk. Boards should not run risk management and operations but should govern and validate risk-tolerance levels.
After all, senior leadership isn't there to just execute the strategy. Yes, they should promote and champion innovations, setting an organisation-wide tone. Still, they should also give the security team the autonomy and support to focus on being the "department of how" when it comes to innovation rather than the perception of security being the "department of no."
3. Work with the CEO to measure progress
Effective measurement is imperative in creating successful cybersecurity strategies that will last the test of time. That's where the security leader and CEO can work closely together to develop clear and concise measurements that allow board members to monitor progress. Measurements should be appropriate and presented in a way that's clear and understandable.
When it comes to measurement, it's fundamentally the CEO's job to guide risk topics, while it's down to security leaders to provide the board with an integrated risk view that articulates security investment priorities and complex converged risk scenarios clearly, and without technical jargon.
Closing the disconnect
An organisation's best bet for establishing an effective security posture relies on having an involved and engaged board. One where executive teams and boards are looking at not just problems but solutions to make their organisations more resilient to cybercrime.
By closing the disconnect between cybersecurity leaders and their boards, organisations can better prepare to protect, detect, respond to and recover from the increasingly pervasive world of cybercrime.