CISOs and security leaders are constantly being reminded that cyber risk is now a business risk. And at the same time, organizations are realizing the financial implications of not having cyber expertise on their boards.
In fact, recent cybersecurity regulations from the White House, the Securities and Exchange Commission (SEC), and the EU are mandating a larger cybersecurity presence on boards of directors. While this is certainly a step in the right direction, board members with cybersecurity expertise are still not that common. At the same time, though, executives are now being sued as a direct result of a breach. With executives and board members becoming personally liable for cyber incidents, the answer to this problem lies in CISOs taking on more responsibility than ever.
IT Department to Boardroom
Historically, CISOs and other security leaders were solely in charge of IT matters. Their language, degrees, and job skills were geared towards the cyber health of their organization. And while that’s still certainly true, now more than ever, CISOs are taking a bigger seat at the table. The role of the CISO is now moving from a technical role to more of an executive role, responsible for information security at all levels of an organization. And even if this role is symbolic (for a company to cover its bases, so to speak), CISOs should still sharpen their soft skills (so to speak) and learn how to communicate more effectively in terms their boards will understand.
Getting Board Members Up to Speed
Organizations have started focusing heavily on employee awareness training to prevent phishing and other cyber-related incidents. This is very much needed—and applauded—but in all of this, there must also be a greater emphasis on getting board members up to speed. Conducting tabletop exercises is a great way to get key stakeholders in the same room to discuss specific roles and responsibilities in the event of a cyber incident. These exercises are critical in helping the board understand the organization’s incident response plan in an interactive and engaging way.
Harnessing Metrics for Communication
What does this mean? It will vary from CISO to CISO, but it will mean much more engagement on budgets, third-party risk, resiliency, and more. Whereas boards used to pose these questions to the CTO before, CISOs are now expected to be ready and able to speak intelligently about all manner of business-related topics.
One way for CISOs to communicate well with their boards is to use transparent metrics. There’s a growing need for a standardized metric to measure the cyber health of an organization, and that’s where Security Ratings come in. Security Ratings can facilitate a greater level of transparency, while enabling both board members and security practitioners to speak a common language, identify vulnerable areas, and communicate effectively. Additionally, they offer an easy and straightforward way for organizations to demonstrate their commitment to cybersecurity and assure customers that their data is protected.
The cybersecurity landscape is always changing, as is the role of the CISO. Regardless of the technical tools we use, refining our communication skills, empathy, leadership, and collaboration will only improve the organizations—and the people—we serve.
Learn more about: