CISO vs The Board: Putting An End To The Forgotten Voice
30 August 2017 11:41
Even with a host of recent wake-up calls, from WannaCry to Petya, a third of CISOs still aren’t involved with their company’s key strategic business decisions. Clearly, something has to change.
A common theme within large enterprises has often seen information security teams as somewhat of an unsung hero. Working in isolation behind the scenes, keeping their organisation safe from the threat of fines, reputational damage and downright operational carnage - all while maintaining a low profile.
But while a Chief Information Security Officer may sound like Superman himself (that’s right, we just compared your CISO to Superman), there’s often a more subtle enemy in the mix. We’re not talking about online criminals, rogue employees or even Lex Luthor himself - we’re talking about the board. Given that this may not sound like the next DC blockbuster, but the role of a CISO is still rather confusing in today’s boardroom - and it’s resulting in big risk.
The fact that a third of CISOs still aren’t involved at board level, an issue raised by a ClubCISO report, is the sort of divide that has been around since the inception of the role. In order to strive forward and reduce organisational risk, companies will need to identify why this divide exists, and more importantly how to rectify the issue.
Despite lines of communications drastically improving in recent years, CISOs still think that boards have infosec priorities all wrong. With the deluge of cyber security-related stories hitting the headlines, the knee-jerk reaction from company boards has been very much focused on dealing with visible threats and securing perimeters. What is needed, however, is a far more holistic approach, weaving security and recovery into the very fabric of the organisation as a whole.
(Similar read: Dear CISO, it's time to widen the cyber security net)
The language barrier
A key issue that has presented itself time and time again is the fact that company boards are often short of the time it takes to fully understand the multitude of threats facing their businesses. These issues they focus on are the ones they read about on their morning commute, rather than the long-term strategies seasoned CISOs have devised using their extensive knowledge of the threat landscape.
It is important to note that the divide of understanding is rarely a result of friction between the ranks. It is usually a case of misunderstanding and confusion.
The communication maze
Considering this, it is easy to understand exactly why the disconnect between CISO and the company board exists. The CISO is often expected to act as the cleanup crew lead, without sufficient scope and resources to effectively manage the aftermath of a breach.
Over the past few years, research has consistently shown that information security is struggling to really embed itself into company hierarchy, with CISOs reporting into matrix structures where influence is lost. However, of late, there have been drastic improvements in this area, with just under two-thirds of CISOs now reporting directly to CIO/CTOs, a figure which has doubled compared to the figures in the 2016 ClubCISO Information Security Maturity Report.
Finding the right balance
Ultimately, CISOs may end up reporting to CEOs, COOs, CFOs, CTOs, CIOs or CROs. What matters is to truly have the ear and the attention of the board, and to have engaged conversations about the cyber risks they face.