Events such as the recent mass CDK ransomware attack – which has closed dealerships across the US at the end of June 2024 – hardly raises public eyebrows anymore.
Still, businesses and the people who run them are justifiably nervous. Every CISO knows that cybersecurity is an increasingly hot topic for executives and board members. And as the inevitable CISO/Board briefing begins, everyone wants answers: Are we immune to attacks? Are we making progress? I could will happen to us?
These are all fair concerns.
The question is how best to answer them? The company board deserves clarity, brevity information related to business purposes, not technical details about fixes or attack methods. A disconnect between the CISO and the board can lead to misunderstandings, increased risk, and potentially devastating cyber attacks. And that’s why one of the main challenges for CISOs today remains: How do you present risk in a way that the board can understand and use to make informed decisions?
Check out the new XM Cyber eBook, The CISO’s Guide to Board Risk Reporting. It’s packed with strategies and tips to help you finally answer the risk board questions with confidence and accuracy. By developing a plan for clear communication and measurable progress, CISOs can finally build trust in the boardroom and provide the resources they need to effectively manage cyber risk.
Numbers speak
Despite this obvious and pressing need for communication, a recent study by Heidrick and Struggles, a leading executive search and corporate culture consultant, revealed a troubling gap between CISOs and CEOs. Only 5% of CISOs report directly to the CEOindicating a potential lack of influence at the senior level, with 2⁄3 CISOs being two levels below the CEO in the reporting structure.
This means that most cybersecurity leaders are a few steps away from making organizational decisions. The Ponemon Institute study also found that only 37% of organizations believe they are effectively leveraging the expertise of their CISO. Research by Gartner highlights a similar trend: only 10% of boards currently have a dedicated cybersecurity committee overseen by a board member.
The figures reveal significant weaknesses in the way organizations structure reporting and how boards receive briefings. Despite the more direct role of the CISO, the challenge of translating risk into clear business terms remains.
Questions
As a CISO, asking yourself these five key questions can help you bridge the communication gap between your board and management, present a clear picture of the state of cybersecurity, and gain the support you need to effectively manage risk:
1. How to justify your budget for cyber security?
CISOs understand that strong cybersecurity requires ongoing investment. Without a clear rationale, your budget requests may be reduced or rejected entirely. So, prove that your goals are not only achievable, but worthwhile by demonstrating the return on investment in cybersecurity. Show naysayers that by providing resources to protect critical data and infrastructure, you are ultimately protecting the financial health of the organization.
2. How do I master the art of risk reporting?
Mastering risk reporting is critical if you want to change how executives think about cybersecurity. Non-technical audiences struggle with complex security threats. That’s why your reports need to be clear and data-driven. They must quantify the risks from a business perspective, highlighting the potential financial loss from a breach. In this way, you demonstrate the value of investing in security to protect an organization’s financial well-being – moving cybersecurity from a cost center to a business enabler.
3. How do I celebrate safety achievements?
Don’t just focus on the problems; celebrating safety wins is critical. Recognizing your team’s successes boosts organizational morale, fosters a culture of security awareness, and highlights the value of investing in cybersecurity. Public acknowledgment of attacks that have been thwarted can both deter attackers and reassure stakeholders of an organization’s commitment to data protection.
4. How can I better collaborate with other teams?
Effective CISOs understand that cybersecurity is not a solo endeavor. Strong security relies on a company-wide commitment to vigilance. This is why collaboration with other departments such as IT, HR and Legal is essential. Working together, CISOs can integrate security training into employee onboarding and development programs. Moreover, your joint efforts can lead to clearer security policies that align with business processes. And collaboration strengthens incident response protocols, ensuring a rapid and coordinated response to security breaches.
5. How do I focus on what matters most?
CISOs are bombarded with threats and tasks. Prioritization is key. Focusing on what really matters ensures efficient channeling of resources. This means identifying the most critical security risks, aligning them with your organization’s business goals, and strategically addressing them. By saying no to distraction and focusing on high-impact initiatives, you can optimize your security system and increase your organization’s overall resilience.
Bridging the Gap: Effective Communication for CISOs
The rising tide of cyber attacks requires clear communication between CISOs and boards of directors. To bridge this gap and gain critical support, CISOs must prioritize effective risk information. Ditch the technical jargon and translate complex threats into business terms. Highlight the financial impact of cyber attacks, potential reputational damage and disruption to core operations. By viewing cybersecurity as a business issue, CISOs can get board buy-in for important security investments. (Check out this great article for more tips on how to get management buy-in for security initiatives here.)
Also, remember that communication goes beyond simply presenting issues. CISOs must also demonstrate progress and move away from key metrics to develop data-driven reports that demonstrate the effectiveness of security investments. Key metrics such as the reduction in the number of successful attacks or the time it takes to detect and contain breaches should be tracked. This visual data will help drive your message home.
Check out the new XM Cyber eBook, The CISO’s Guide to Board Risk Reporting. It’s packed with strategies and tips to help you finally answer the risk board questions with confidence and accuracy. By developing a plan for clear communication and measurable progress, CISOs can finally build trust in the boardroom and provide the resources they need to effectively manage cyber risk.
