While cybersecurity is increasingly becoming a normalized topic of discussion for companies’ board members, they are still not on the same page with CISOs when it comes to understanding security threats and contextualizing their business impact.
A report released this month by Proofpoint, “Cybersecurity: The 2022 Board Perspective,” showed that a majority (76 percent) of board members discuss security-related matters at least once a month. However, the report also highlighted that several disconnects between CISOs and their boards continue to exist when it comes to prioritizing - and understanding the context around - cyber risks. Many of these disconnects may stem from a lack of communication: The report found that only half of board members regularly interact with their CISOs.
“Being able to truly ascertain cyber risk as part of your broader business risk is not only a communication matter, but it's also the ability to understand and absorb that information,” said Lucia Milica, global resident CISO at Proofpoint. “While CISOs need to continue working on translating technology and technical risk into business risk and be able to better deliver that risk story to their board, on the other side of the aisle, we need the board to be able to understand the true implication of cyber risk on the ultimate shareholder value and business goals.”
While boards and CISOs have vastly different roles and priorities, collaboration between the two is fundamental for making key prioritization, strategic and budgetary decisions, and looking at how security can be implemented in the company’s overall culture. While CISOs are responsible for developing security programs and this overall culture, board members can help drive these initiatives by keeping cybersecurity as a top priority on the agenda and setting an example for other leaders across the organization.
More Boards to Embrace Dedicated Security Committees
Boards of directors appear to be set on the course to embrace cybersecurity, with a 2021 Gartner report predicting that by 2025 the number of boards with dedicated cybersecurity committees will increase from less than 10 percent to 40 percent.
This change is driven in part by more companies digitizing their processes after the pandemic, said Gartner; but other factors come into play here as well. A Securities and Exchange Commission (SEC) proposed cybersecurity rule, set to go live in April 2023, would increase SEC scrutiny of public companies’ security decision-making processes at the leadership level, including the role of the board. This proposed rule would require organizations to describe their board’s oversight of cybersecurity risk and disclose the cybersecurity expertise of board members, for instance.
For CISOs, these dedicated cybersecurity committees mean more support and resources. After the December 2020 SolarWinds incident, for instance, SolarWinds established a technology and cybersecurity committee on their board of directors. Tim Brown, CISO at SolarWinds, said the committee represents a “great advocate for me and a check and balance for me and the board.”
“If you look up at boards, they’re often made up of different skill sets, different folks with financial or other skill sets, and cyber skill sets are not always present,” said Brown at the recent mWise Mandiant cybersecurity event this week. “We thought it was very important to establish a second security focused committee in the board. We meet regularly, we're scheduled quarterly but more often than that. We brief them on what risks we face as a company. Every company has risk. It’s important that the board understands that, the board supports investment and the board supports different initiatives that we have.”
Different Perspectives of Cyber Risk
Despite the optimism around how boards of directors will embrace cybersecurity strategies and resources in the future, several challenges currently exist in how CISOs and board members interact.
The “Cybersecurity: The 2022 Board Perspective” report - where Proofpoint in partnership with MIT Sloan’s research consortium surveyed 600 board members at organizations with at least 5,000 employees across 12 countries - revealed that board members and CISOs are not fully on the same page in how they perceive cyber risks and understand threat actors.
While board members and CISOs agreed that email based attacks like business email compromise, as well as account compromise and ransomware, are top concerns, board members did not consider insider threats to be a top concern, while CISOs cited it as their number one worry. And, while board members’ top concerns around security incident consequences revolved around internal data becoming public and reputational damage, CISOs worried more about significant downtime and disruption to operations.
The latter points to different perspectives at the core level that the CISO role, versus the board of directors role, brings to companies. While board members’ roles revolve around the organization’s shareholders and protecting the value of their investments, CISOs are more concerned with protecting businesses from cyberattacks that could disrupt operations, said Proofpoint researchers.
“CISOs and board members came from diverse backgrounds, they're really bringing a different color of their overall perception of risk broadly,” said Milica. “Cyber risk is a complex topic and it really does require a good level of understanding on how this manifests down the rabbit hole to truly ascertain the full systemic risk impact that cybersecurity can have on the broader organization, but also the ecosystem outside.”
Making the Connection in the Boardroom
A lack of effective communication is one driver for this gap around how cybersecurity is understood. According to Proofpoint’s report, 69 percent of board members say they see eye-to-eye with their CISOs, and only 51 percent of CISOs feel the same way.
Phil Venables, CISO and vice president of Google Cloud, at the mWise event on Tuesday acknowledged “there’s a little bit of fear in the boardrooms that cyber is this dark mysterious art that is really difficult to manage.”
CISOs and board members can achieve a better mutual understanding not from using technical terms, but instead looking at what these terms mean for the business; such as how security threats and flaws can potentially impact organizational business goals and reputation. Board members care less about threat detection metrics and more about how these metrics will impact revenue, for instance.
Venables said that approaching boardroom communications from a risk-based perspective, rather than a technical perspective, can help drive further collaboration between CISOs and board members. CISOs could ask boards to think about the risks facing an organization’s most critical assets and services, the effectiveness of the controls that mitigate those risks and the end-to-end processes in place to constantly validate that these risks are being monitored, he said.
“Now in that whole paragraph, I never used the word technology, I didn’t use cyber, I didn’t use information security,” said Venables. “That’s just the approach that boards have to manage a whole array of risks… and the more boards can get used to that, the more security teams can answer that question in a coherent way. Today, they’re not doing a great job of answering that question and the boards are not doing a great job of holding the security and technology and risk teams accountable for that question.”