Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/21/2020
10:00 AM
Joe Schorr
Joe Schorr
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get CISOs & Boards on the Same Page

These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions.

Remember the old parable of the blind men touching the elephant? Its lesson is that perspective determines our conclusions, and that we risk missing the big picture if we forget that. Which, in turn, brings us to chief information security officers (CISOs) and boards of directors. For years, these two groups have talked past each other, each hobbled by their own tunnel vision.

More commonly, here's how that might manifest. The CISO likely looks at the board and thinks, "That's the money guy… and she's the lawyer." And what they have in common is little to no understanding of cybersecurity.

Conversely, boards often view CISOs as just another IT staffer, the woman who tries to stop hackers. And a quality CISOs often share is that they can't explain the return on the board's investment or talk about risk in a way that's meaningful to CXOs and directors.

In the end, neither side understands the other and they fail to unite around their common mission: mitigating enterprise risk. According to two recent studies, however, each side seems to be gaining some vision. Optiv Security's "The State of the CISO" report and NACD's "Public Company Governance Survey" provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity.

A Convergence of Goals
CISOs historically have had trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. On the other side of the table, directors are left wondering how cybersecurity maps to enterprise risk and business enablement, so they view CISOs as technical personnel rather than true C-level business executives.

However, Optiv's report, which surveyed 100 CISOs from the US and another 100 from the UK, shows that this gap in perception is narrowing considerably. Some 96% of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86% said they are getting more funding for their programs because of this improved understanding.

Similarly, NACD's survey of directors found that 79.3% of board members believe their board's understanding of cyber-risk has significantly improved compared with two years ago. Only 8.7% indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.

Lingering Disconnects
The communications gap between CISOs and board members appears to be narrowing, but there is still a disconnect when it comes to business priorities. According to the Optiv survey, 76% of CISOs feel that cybersecurity has become so important in their organizations that "CEO tracks" for CISOs will start to emerge. A full 70% of US respondents and 64% of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.

NACD's survey does not quite support this sunny CISO perception. Only 28% of responding directors said they prioritize security above all else, even if it slows down business, and 61% said that cybersecurity should not be prioritized above overall business velocity. This perception gap likely would have been wider just a few years ago (prior to directors and CISOs hiking up their respective learning curves), so things seem to be headed in the right direction for CISOs. Nevertheless, the surveys show that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity today.

Breach Experience: A Scarlet Letter?
One of the most interesting findings across the two surveys is how CISOs and boards view CISO data breach experience. Experiencing a breach was once a "scarlet letter" for CISOs — sometimes costing them their jobs and definitely not something to feature on a resume. Both the Optiv and NACD surveys show this is no longer the case. Boards have a general understanding today that breaches are often unavoidable and that it is the response to the breach, rather than the breach itself, that is the true measure of a CISO's competence.

In the Optiv survey, 58% of CISOs said that having breach experience makes them more attractive to potential employers than having no breach experience. Surprisingly, CISOs seem to underestimate how boards now value breach experience: A whopping 92% of directors surveyed in the NACD report said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover.

Board/CISO disconnects are still a challenge for both sides. But at least now they seem to know they are both touching an elephant, and that's good news for any company that wants to reduce enterprise risk exposure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Joe Schorr has more than 25 years of professional services and industry experience in information and cybersecurity and currently leads the executive services directors at Optiv. Joe is also a director on the Leading Disruptive Innovation Advisory Board at Stetson University ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11684
PUBLISHED: 2021-02-26
Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. P...
CVE-2020-24686
PUBLISHED: 2021-02-26
The vulnerabilities can be exploited to cause the web visualization component of the PLC to stop and not respond, leading to genuine users losing remote visibility of the PLC state. If a user attempts to login to the PLC while this vulnerability is exploited, the PLC will show an error state and ref...
CVE-2021-23964
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunder...
CVE-2021-23965
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85.
CVE-2021-23978
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunder...