Council Post: Why Your Board Of Directors Should Focus On Building Your CISO’s Self-Resilience
Global Resident Chief Information Security Officer (CISO) for Proofpoint.
The past year has been another challenge for organizations as threats continued to escalate while the cybersecurity workforce shortage stretched security operations teams beyond capacity. In the high-pressure cybersecurity environment, the CISO’s role was always stressful. But growing job demands, expectations and regulatory scrutiny create much higher levels of burnout and stress.
When the role of security leaders is more important than ever, recruiting and retaining a highly skilled CISO is a tough challenge. Fifty-three percent of CISOs have been in their role for two years or less, and this high turnover, coupled with the talent shortage, puts organizations at high risk of cybersecurity failure.
This untenable situation requires a concerted effort by the board of directors and executive team to ensure their CISO is resilient and has the tools to succeed. An overworked, overwhelmed and stressed-out CISO simply cannot effectively defend and protect the organization.
CISO Pressures Grow
The pandemic put the spotlight on mental health in the workplace, and the cybersecurity industry was no exception. Job burnout and stress are now prevalent in the CISO community, but boards may not be aware of the CISO’s mental health concerns because the conversations take place mostly in private.
One area that adds to the stress is the increased regulatory scrutiny of security leaders’ roles. The Uber case in U.S. federal court, in particular, is troubling for CISOs because it sets a dangerous precedent for placing personal liability on them for cybersecurity incidents. Many CISOs may not know that a potential solution for them is directors and officers (D&O) insurance, which covers diligence, loyalty and obedience duties. While not the only answer, organizations should especially consider “Side A” D&O insurance, which protects officers and directors in those situations when the company does not indemnify them.
The much-needed proposed U.S. Securities and Exchange Commission (SEC) rule to increase transparency around cybersecurity risk management and governance has also created some trepidation in CISO and board of directors circles. They are uncertain what this means for the relationship between security leaders and board members—and these relationships are strained as it is.
These emerging developments ratchet up the pressures CISOs already face daily, including the widening talent gap and the unrelenting threat of ransomware and other cyberattacks. Just like the CISO, the entire cybersecurity team is burned out as their ranks are dwindling, and they must fight mounting threats with fewer resources.
Forrester even predicts that this year, the cybersecurity workers’ long hours will cause a whistleblower to expose unsafe work conditions. Overall, Forrester expects another rocky year ahead for CISOs—as challenging as the CISO’s job is now, tougher times are ahead.
Boosting Your CISO’s Self-Resilience
CISOs fight an uphill battle when they do not have support in the boardroom. One of the best things boards can do to empower their security leader’s resiliency is to bring in cybersecurity expertise on the board. Experts who understand what the organization and the cybersecurity team grapple with are powerful CISO allies. They help bridge the gap in the directors’ understanding of how cyber risk translates to business risk—so they can ensure their CISO has the requisite resources to mitigate that risk.
Establishing a cybersecurity or a technology risk oversight committee is a great way to strengthen the board-CISO relationship. In the typical organization, cyber risk falls under the audit committee, composed mostly of accounting and financial experts. Yet financial experts do not really understand cybersecurity and its ramifications on risk. To them, cybersecurity is simply an operational expense rather than a strategic consideration.
A cybersecurity oversight committee would be able to truly interpret cyber risk and how it affects the broader business goals and the valuation of the organization. Creating such a committee aligns with the proposed SEC rule, and there is wide sentiment in the CISO community that this change would have a positive effect.
One of CISOs’ biggest frustrations is the feeling that nobody is listening to their concerns. Having an oversight committee and more experts on the board paves the way for honest and transparent conversations about cyber risk. But boards should not stop there. They must work on expanding every board member’s understanding of the threats their organization faces, as well as what their security team goes through to fight those threats. All these steps will help the board prioritize cybersecurity, which ensures the CISO has the resources to help ease some of the job burdens.
As leaders who drive the business agenda, directors play an important role in their organization’s cyber preparedness. Understanding the impact, stress and pressures their CISO and security team face every day—and arming them with the resources to handle them—will strengthen the resilience of both their CISO and their organization.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?