top of page
ch6682

THE CISO CYBER COMMUNICATIONS GAP


CYBER IN THE BOARDROOM

 

A Harvard Business Review survey of 600 boardrooms found that only 47% regularly engage with their company's Chief Information Security Officer (CISO). This disconnect likely stems from a lack of board members with the necessary expertise to effectively communicate with the CISO. Research also shows that just 51% of directors at Fortune 100 companies in the United States possess relevant cybersecurity experience. The issue is even more pronounced among Fortune 500 companies, where only 9% of boards include directors with a solid understanding of cybersecurity. In the UK, the situation is much better, although there is still room for improvement. For example, a 2022 study by PwC found that 59% of directors acknowledged their board is not particularly effective in understanding the drivers and impacts of cyber risks for their organisation. Similarly, another study by Russell Reynolds revealed that the majority of directors “only somewhat” understood their cybersecurity vulnerabilities. The good news is that the Board-CISO relationship has improved significantly in the UK. In 2024, 84% of UK CISOs agree their board members see eye-to-eye with them on cybersecurity issues. This is a significant jump from 74% in 2023 and 65% in 2022. Despite this amicable situation, there are still communication gaps between CISOs and board members that need to be addressed. Experienced FTSE 100 Executive and Board Advisor, Richard Brinson, says:

 

“We found many board members don’t understand their unique role on cybersecurity, lack the right level of cyber awareness and are scared to turn to their CISO to bridge this gap, for fear of exposing their lack of understanding.”

 

BOARDS FOCUS ON CYBER PROTECTION

 

Human error remains the Achilles' heel of cybersecurity, with 65% of UK CISOs recognising it as the most significant vulnerability. Amid a year of increasing insider threats and people-driven data loss, a record number of CISOs view human risk, particularly negligent employees, as a major cybersecurity concern for the next two years. According to the 2024 Voice of the CISO Report, 84% of UK CISOs and optimistic and believe that employees understand their role in protecting the organisation. As such, many companies focus their investment in cybersecurity on protection. For example, in many board meetings, the primary focus often revolves around how frequently the company conducts phishing tests and the associated statistical results. However, this perspective on board oversight is misguided. It is understood that complete protection is unattainable, regardless of how much is invested in technologies or programmes to prevent cyberattacks. While dedicating resources to safeguarding assets is crucial, limiting discussions to protection alone could set the stage for disaster.

  

SHIFT TO CYBER RESILIENCE

 

The CISO-boardroom conversation needs to prioritise resilience. The assumption should be made - for planning purposes - that a cyberattack of some sort will occur, and organisations must be prepared to respond and recover with minimal damage, cost, and reputational impact. For example, rather than delving into the specifics of how the organisation is set up to respond to an incident during a board meeting, the focus should be on identifying the biggest risks and how prepared the organisation is to recover quickly if such a situation arises. To shift the focus towards resilience as the primary objective of cybersecurity, directors could request that their operational leaders develop a vision for how the company will respond and recover when an attack takes place. David Christensen, CISO and VP of PlanSource, a Stateside technology automation company, says:

 

"Cybersecurity goes beyond addressing technical risks. It is an organisational problem that requires business alignment and should be viewed as a strategic imperative. Including cybersecurity experience at the board level is necessary to overcome the perplexities that often accompany discussions around cyber-risk, allowing boards to ask the right questions and provide the right oversight."

 

CLOSING THE CYBER COMMUNICATIONS GAP

 

In the boardroom, CISOs need to shift from merely ensuring compliance to offering risk-based assessments and mitigation strategies to the board. Here are three ways security leaders can strengthen their relationship and close the communications gap with the board:

 

  • Assess risk with data-driven evidence - The level of acceptable risk varies for each business, depending on its priorities, objectives, customer needs, and market. CISOs should present their assessments from the board’s perspective, focusing on how certain risks could hinder the company’s goals. Instead of highlighting technical issues like an unpatched web server, CISOs should emphasise the potential business impact, such as revenue loss from a marketplace outage, and demonstrate how effective strategies have mitigated such risks. CISOS must be clear, truthful, and data-driven in their communication, offering a strong, informed perspective rather than leaving the board to draw its own conclusions.

  • Contextualise risk with business objectives - CISOs typically calculate risk using the formula "likelihood multiplied by impact," categorising the outcome as high, medium, or low. However, expressing the impact in monetary terms more effectively conveys business relevance and helps risk mitigation compete for investment alongside other priorities. Although CISOs may hesitate to quantify risk in financial terms due to the inherent imprecision of risk assessment, the board is used to dealing with probabilities, so estimates only need to be accurate enough, usually within +/- 30%, to provide meaningful context. Properly assessing risk within a business framework enables the board to make data-driven decisions that are easily communicated to stakeholders. CISOs don't need perfect accuracy, just a well-supported, directionally correct stance.

  • Make actionable recommendations - Go beyond merely identifying risks by providing actionable insights to mitigate them. CISOs should assess whether a vulnerability requires immediate action or if it is more of a long-term security posture concern. CISOS must build credibility by backing their assertions with data and avoiding exaggeration about the level of risk the organisation faces. With a well-supported case, the board will be more inclined to listen and approve the recommended actions.

 

Mark Child, a Director of Cyber London, gives us his views on how CISOs can level up their relationship with boardroom members:

 

“To improve board engagement and understanding of cybersecurity and resilience, CISOs must develop strong communication skills, align initiatives with business goals, and build trust with board members. This involves ongoing education, better communication of risks in business terms, and integrating cybersecurity and resilience into the organisation’s strategic planning.”

 

CLOSING WORDS ON CYBER COMMUNICATION

 

CISOs must develop a strong communication strategy to drive change within their organisations to ensure the board has a global understanding of IT risk. Here are five strategies they can employ to achieve this goal:

 

  • Ensure the board comprehends the full scope of both external and internal cyber risks -While cybercriminals are significant threats, internal personnel also pose a substantial risk, with 91% of successful hacks originating from phishing emails. Highlighting this "human factor" can help gain support for cyber awareness training and promote a holistic approach to managing cyber risk.

  • Speak in terms the board understands - Avoid hyper-technical language and instead present cyber issues using company- and industry-specific terms. Use real-life scenarios and concrete figures to illustrate the financial impact of a breach, such as referencing a competitor’s high-profile breach to highlight similar vulnerabilities.

  • Emphasise the advantages of a proactive approach - Many board members are still focused on reactive strategies. CISOs should help them see how proactive strategies can add business value, such as enhancing the company’s agility and confidence in its cyber resilience, rather than simply citing regulations as the reason for change.

  • Seek feedback - Directly ask if the board has any lingering questions or preferences for translating complex cyber risks into actionable policies. This helps you understand how the board best receives information and alerts you to gaps in their cyber knowledge, allowing you to refine your communication strategy.

  • Utilise risk reporting technology - Presenting risk data clearly can be challenging, but risk reporting technology can simplify the process. These tools help distil complex data into trends and priorities that the board can easily grasp, while also saving time on data gathering and analysis.



 

CYBER LONDON CHAMPIONS COMMUNICATION


Cyber London’s strapline, “Innovation through Collaboration” underpins our goal to position ourselves as a champion of innovation, working with partners to develop a healthy ecosystem that secures London’s position as a global leader in cyber. This vision includes working with high-profile and influential CISOs to ensure a healthy cyber ecosystem is established and maintained in London and beyond. As enablers, we will strive to support CISOs when disseminating risk, strategies and actionable recommendations in the boardroom. Reach out to Cyber London or better still become a member here.

 

 

0 comments

Recent Posts

See All

Comments


bottom of page