CISOs and board members view cyber risk through different lens
There is a disconnect between the boardroom and chief information security officers around the world when evaluating cyber risk, according to new research released Tuesday from cybersecurity firm Proofpoint and MIT Sloan.
The report finds that boards tend to express greater concerns over a significant cyberattack hitting their company than their top security executives, with 65% of board members believing in the risk, compared with 48% of CISOs.
Lucia Milică, global resident CISO at Proofpoint, told SC Media that the COVID-19 pandemic that resulted in widespread digitization among businesses scrambling to stay open has elevated the importance of cybersecurity in the boardroom in ways both temporary and permanent.
“During the pandemic last year, board members had to focus on operation to enable the business to survive and function smoothly. Now as things have settled down a bit, they have opportunities to take care of long-term risks, including cyber threats, and implement controls accordingly,” said Milică. “On the contrary, CISOs are getting a level of comfort with the potential threats under remote working environments after a year adjusting to high levels of attacks.”
The report also finds that board members agree with CISOs on the top threats facing their enterprise, including email fraud, cloud account compromise, and ransomware, but they have different views about the most important consequences of a cyber incident.
The boardroom ranked internal data becoming public, reputational damage and revenue loss as their top concerns, highlighting a laser-like focus on the bottom-line impact of cyberattacks. Those concerns contrast with those of CISOs, who are more worried about significant downtime, disruption of operations and impact on business valuations. Additionally, CISOs were deeply concerned about the potential for employees and other insiders to steal or expose systems and data, ranking it as the top cybersecurity concern, while those fears didn’t register as much with boardrooms.
“This difference of opinion comes from the different perspectives each role brings to the organization,” the report reads. “CISOs primarily see their role as keeping attacks from disrupting the business and as enabling the business to continue to function despite cyberattacks. At public organizations, however, board members represent shareholders. They are most concerned with protecting the value of their investments, which can decline when the organization suffers in reputational damage or lost revenue.”
To close the gap between the boardroom and CISOs, effective communication is the key.
Milică said it is a positive trend that more organizations have appointed CISOs on their board since the Securities and Exchange Commission proposed a series of news rules on cybersecurity. Those rules include mandatory reporting of significant cybersecurity incidents by publicly traded companies and detailing what, if any, cybersecurity expertise those companies have on their boards.
While bringing cyber expertise can help organizations make decisions in the field, Milică emphasized that CISOs should avoid jargon and technical expression when communicating with board members. Instead, they should communicate risks in monetary value by analyzing how threat actors could affect the business and leveraging real-world numbers, such as the potential costs of ransomware attacks.
Betsy Wille, director at Cybersecurity Studio, noted that these risks are increasingly feeding into larger efforts by governments and regulators, pushing CISOs to communicate in a language that boards understand.
“The board and CISO relationship is entering a new phase and has never been more important,” said Wille. “The rapidly evolving cyber risk environment and proposed regulations are transforming boardroom cybersecurity expertise. As a result, the role of the CISO is evolving away from technical specialist to business executive who can understand where business value is coming from and articulate to the board how to protect it.”
That view is increasingly gaining traction within the business world.
Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency who now leads the Krebs/Stamos Group, a consultant firm that offers cybersecurity advice to businesses, said he has spent the past two years outside of government conducting briefings with boards of directors hammering home the importance of aligning the missions of security teams and the C-suite.
“You could have the absolute best security team in the world, you can have the absolute best CISO in the world, but if the board and the C-Suite don’t pay attention, empower and invest — not just resource-wise but time, understanding and empowerment into the security team — you’re toast,” Krebs said Tuesday at a conference hosted by threat intelligence firm Recorded Future. “You’re not going to affect any sort of change across an organization if there’s no top cover. The business unit whose job is to make money to sell for the shareholder, they’re going to win every single time unless the security team has the top cover to get things done.”