The starting gun has fired. According to Gartner, 50% of the C-suite will have cyber risk related performance requirements built into their contracts by 2026. Cyber is finally being viewed from the perspective of organizational risk management rather than an IT issue. Get ahead of the curve and begin with a robust cyber risk assessment strategy and avoid scrambling to identify your next Chief Scapegoat Officer.
Most Boards of Directors come from non-IT backgrounds. Only a fraction of S&P 500 independent directors have experience leading Cyber Security, IT, Software Engineering or Data Analytics. That 4% is also confined to Tech centric companies. Consequently, the demand for Cyber and Security risk backgrounds for board members is dramatically increasing.
Cyber should be number one on the agenda and covered at least once a quarter. Cyber is a board level concern. You may not be able to fully satisfy the board but you can make sure they're not dissatisfied in the event of an attack.
Essentially you want your executive audience to not think negatively of your cyber security program.
As a CISO, you should never get too technical with your leadership team as they will just tune you out. Instead communicate by telling stories and demonstrate how other companies in similar industries have encountered Cyber Security issues and what they did about them successfully and unsuccessfully. Another point would be to demonstrate the changing threat landscape. Highlight the reputational, financial regulatory and legal risk at stake.
What you want is the board to hold Cyber Security culture at the top of their agenda. Get a formal declaration of support from the top and your handle on your scope of authority will increase.
Articulating a cyber security strategy is critical as a CISO. But it should also fall to the Board to set the right security culture.
Your goal as a CISO is to keep the executive leadership team well informed and hold C-level executives accountable for funding and maintaining your cyber security initiatives.
The Board, too, must ensure the successful integration of cybersecurity measures for the benefit of all involved shareholders1.
Solidarity, transparency, and trust are critical across functions in order to be able to respond swiftly and decisively in today's evolving threat landscape.