How CISOs Can Build Support for Cybersecurity on Their Boards

Although cyberattacks are becoming more frequent and destructive, CISOs often need help to secure the full support of their boards for critical cybersecurity initiatives. To address this problem, CISOs (chief information security officers) must present the case for cybersecurity clearly and concretely, suggest cost-effective interventions with a clear record of success, and build stakeholder support around a shared strategic vision, says Matt Lindley of NINJIO.

The necessity for robust cybersecurity is becoming clearer by the day. Cyberattacks are costlier and more sophisticated than ever, new technologies like AI are putting companies at greater risk, and safe data management is vital for consumers and regulators. However, while companies are increasing their investments in cybersecurity, these investments aren’t keeping pace with the evolving cyber threat landscape.  

CISOs are responsible for making the case for cybersecurity to their boards, but this isn’t always a straightforward process. Board members have various competing concerns and priorities, from budget constraints to other strategic investments. In cases where CISOs aren’t aligned with the rest of the board, they need to be capable of making a compelling case for cybersecurity. This means emphasizing proven, cost-effective programs like cybersecurity awareness training (CSAT) to generate strategic alignment. 

Negotiating with the rest of the board is critical for any CISO, especially as cyberattacks become increasingly common and crippling. While it can be frustrating for CISOs when they don’t have the full support of their boards, they should view these strategic discussions as a way to earn more sustainable buy-in for crucial cybersecurity initiatives. 

How CISOs Can Improve Alignment With Boards

There have been some encouraging signs for CISOs in recent years. A 2023 PwC surveyOpens a new window found that 70 percent of company leaders observed improvements in cybersecurity last year, partly due to leadership collaboration investments. However, when CISOs are asked directly whether their concerns are aligned with leadership priorities, 63 percentOpens a new window say “no.” This demonstrates that companies still have a long way to go in ensuring organizational alignment between CISOs and boards. 

Many factors account for this need for alignment, from mismatched expectations to a lack of expertise on the board. Eighty-two percent of CISOs say they feel pressure to make things seem better than they are when presenting to the board. It’s difficult for CISOs to find a balance between highlighting the success of cybersecurity initiatives that have already been implemented and demonstrating that there’s more work to be done. Considering the fact that 88 percent of CISOs experienced a cyberattack or incident within the past year (as of October 2022), it’s clear that the threat isn’t going anywhere. 

While CISOs are generally seeing an increase in their level of engagement with boards, there are still many gaps to bridge – from funding levels to strategic goals. In many cases, the cause of these gaps is insufficient and ineffective communication, which is why many CISOs need to reassess how they interact with board members.

See More: Beyond IT: Why Security Solutions Appeal to Multiple Personas

Focus on Concrete and Compelling Communication

Most CISOs say their boards aren’t completely prepared for the cyber threats they foresee and that the status quo needs to change. One of the major hurdles to board engagement is that CISOs don’t think board members are sufficiently informed about cybersecurity. According to a 2023 surveyOpens a new window , over half of CISOs report that their boards don’t have enough “knowledge or expertise to respond effectively to cyber presentations.” Although this is a significant challenge, it certainly isn’t insurmountable. 

A key tactic for improving board engagement is demonstrating the stakes and making a concrete case for cybersecurity. The latest IBM Cost of a Data Breach Report found that the average financial impact of a breach is $4.45 million – an all-time high. Beyond a successful cyberattack’s immense and immediate financial burden, companies can face devastating reputational costs, regulatory scrutiny, and other debilitating consequences. Board members don’t need to be technically inclined to understand that cyberattacks are extremely destructive, and it’s the CISO’s job to show them how much damage an attack can cause. 

Almost three-quarters of CISOs report adequate exposure to the board, but there are still stubborn misalignments on various issues. In some cases, this is due to disagreement over the allocation of resources, risk assessments, and strategic priorities. However, there are also many circumstances in which board members make decisions about cybersecurity without fully grasping relevant facts. CISOs have to ensure that board members aren’t underestimating the cyberthreats they face, which means presenting information about those threats in an accessible and memorable way. 

Show Board Members Why Cybersecurity Is Worth the Investment

Despite encouraging signs such as access to boards and an increasing emphasis on cybersecurity, 41 percent of CISOs still say they lack “adequate funding to build the security program required to secure my enterprise.” CISOs can’t just point to the huge potential costs of cyberattacks – they also have to propose interventions that will keep the company safe. This means identifying the most urgent cyber threats, determining how resources should be allocated, and outlining how performance will be tracked – a process showing board members that cybersecurity offers impressive ROI. 

CISOs are responsible for evaluating cybersecurity interventions and presenting them to the board. These interventions have to be capable of defending the company from the most harmful cybercriminal tactics, such as social engineering. According to the 2023 Verizon Data Breach Investigations Report, almost three-quarters of successful breaches involve a human element. This means employee error represents one of the most pressing cyber vulnerabilities companies face, and it’s why cybersecurity awareness training is so important. 

Effective CSAT has to provide engaging and relevant cybersecurity content while accounting for employees’ individual personalities, behavioral patterns, and learning styles. Personalized CSAT gives CISOs access to in-depth data on employee performance and vulnerabilities, which they can share with the board. At a time when the cyber threat landscape is in a constant state of flux, it’s also essential for cybersecurity platforms to be adaptive. CSAT helps companies keep pace with shifting cybercriminal tactics, as educational content and assessments can be updated to reflect the latest cyber threats. 

Companies should expect cyberattacks to continue surging in the years to come, driven by rapidly emerging technologies like AI (which has sweeping implications for phishing and other cybercriminal tactics) and the powerful incentives for hackers to continue evolving. Now is the time for CISOs to improve coordination with their boards of directors to protect their companies from the increasingly dangerous cyber threats they confront. 

What steps have you followed to empower cybersecurity in your organization? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON CYBERSECURITY AWARENESS

• Cybersecurity Awareness Month: Eight Security Insights That You Should Know
• Cybersecurity Learning: Building a Culture of Cyber Awareness
• How to Gain Stakeholder Support for Cybersecurity Awareness
• The Top Cybersecurity Trends to Be Aware of in 2023