Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/21/2020
10:00 AM
Joe Schorr
Joe Schorr
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get CISOs & Boards on the Same Page

These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions.

Remember the old parable of the blind men touching the elephant? Its lesson is that perspective determines our conclusions, and that we risk missing the big picture if we forget that. Which, in turn, brings us to chief information security officers (CISOs) and boards of directors. For years, these two groups have talked past each other, each hobbled by their own tunnel vision.

More commonly, here's how that might manifest. The CISO likely looks at the board and thinks, "That's the money guy… and she's the lawyer." And what they have in common is little to no understanding of cybersecurity.

Conversely, boards often view CISOs as just another IT staffer, the woman who tries to stop hackers. And a quality CISOs often share is that they can't explain the return on the board's investment or talk about risk in a way that's meaningful to CXOs and directors.

In the end, neither side understands the other and they fail to unite around their common mission: mitigating enterprise risk. According to two recent studies, however, each side seems to be gaining some vision. Optiv Security's "The State of the CISO" report and NACD's "Public Company Governance Survey" provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity.

A Convergence of Goals
CISOs historically have had trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. On the other side of the table, directors are left wondering how cybersecurity maps to enterprise risk and business enablement, so they view CISOs as technical personnel rather than true C-level business executives.

However, Optiv's report, which surveyed 100 CISOs from the US and another 100 from the UK, shows that this gap in perception is narrowing considerably. Some 96% of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86% said they are getting more funding for their programs because of this improved understanding.

Similarly, NACD's survey of directors found that 79.3% of board members believe their board's understanding of cyber-risk has significantly improved compared with two years ago. Only 8.7% indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.

Lingering Disconnects
The communications gap between CISOs and board members appears to be narrowing, but there is still a disconnect when it comes to business priorities. According to the Optiv survey, 76% of CISOs feel that cybersecurity has become so important in their organizations that "CEO tracks" for CISOs will start to emerge. A full 70% of US respondents and 64% of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.

NACD's survey does not quite support this sunny CISO perception. Only 28% of responding directors said they prioritize security above all else, even if it slows down business, and 61% said that cybersecurity should not be prioritized above overall business velocity. This perception gap likely would have been wider just a few years ago (prior to directors and CISOs hiking up their respective learning curves), so things seem to be headed in the right direction for CISOs. Nevertheless, the surveys show that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity today.

Breach Experience: A Scarlet Letter?
One of the most interesting findings across the two surveys is how CISOs and boards view CISO data breach experience. Experiencing a breach was once a "scarlet letter" for CISOs — sometimes costing them their jobs and definitely not something to feature on a resume. Both the Optiv and NACD surveys show this is no longer the case. Boards have a general understanding today that breaches are often unavoidable and that it is the response to the breach, rather than the breach itself, that is the true measure of a CISO's competence.

In the Optiv survey, 58% of CISOs said that having breach experience makes them more attractive to potential employers than having no breach experience. Surprisingly, CISOs seem to underestimate how boards now value breach experience: A whopping 92% of directors surveyed in the NACD report said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover.

Board/CISO disconnects are still a challenge for both sides. But at least now they seem to know they are both touching an elephant, and that's good news for any company that wants to reduce enterprise risk exposure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Joe Schorr has more than 25 years of professional services and industry experience in information and cybersecurity and currently leads the executive services directors at Optiv. Joe is also a director on the Leading Disruptive Innovation Advisory Board at Stetson University ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.