Remember the old parable of the blind men touching the elephant? Its lesson is that perspective determines our conclusions, and that we risk missing the big picture if we forget that. Which, in turn, brings us to chief information security officers (CISOs) and boards of directors. For years, these two groups have talked past each other, each hobbled by their own tunnel vision.
More commonly, here's how that might manifest. The CISO likely looks at the board and thinks, "That's the money guy… and she's the lawyer." And what they have in common is little to no understanding of cybersecurity.
Conversely, boards often view CISOs as just another IT staffer, the woman who tries to stop hackers. And a quality CISOs often share is that they can't explain the return on the board's investment or talk about risk in a way that's meaningful to CXOs and directors.
In the end, neither side understands the other and they fail to unite around their common mission: mitigating enterprise risk. According to two recent studies, however, each side seems to be gaining some vision. Optiv Security's "The State of the CISO" report and NACD's "Public Company Governance Survey" provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity.
A Convergence of Goals
CISOs historically have had trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. On the other side of the table, directors are left wondering how cybersecurity maps to enterprise risk and business enablement, so they view CISOs as technical personnel rather than true C-level business executives.
However, Optiv's report, which surveyed 100 CISOs from the US and another 100 from the UK, shows that this gap in perception is narrowing considerably. Some 96% of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86% said they are getting more funding for their programs because of this improved understanding.
Similarly, NACD's survey of directors found that 79.3% of board members believe their board's understanding of cyber-risk has significantly improved compared with two years ago. Only 8.7% indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.
The communications gap between CISOs and board members appears to be narrowing, but there is still a disconnect when it comes to business priorities. According to the Optiv survey, 76% of CISOs feel that cybersecurity has become so important in their organizations that "CEO tracks" for CISOs will start to emerge. A full 70% of US respondents and 64% of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.
NACD's survey does not quite support this sunny CISO perception. Only 28% of responding directors said they prioritize security above all else, even if it slows down business, and 61% said that cybersecurity should not be prioritized above overall business velocity. This perception gap likely would have been wider just a few years ago (prior to directors and CISOs hiking up their respective learning curves), so things seem to be headed in the right direction for CISOs. Nevertheless, the surveys show that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity today.
Breach Experience: A Scarlet Letter?
One of the most interesting findings across the two surveys is how CISOs and boards view CISO data breach experience. Experiencing a breach was once a "scarlet letter" for CISOs — sometimes costing them their jobs and definitely not something to feature on a resume. Both the Optiv and NACD surveys show this is no longer the case. Boards have a general understanding today that breaches are often unavoidable and that it is the response to the breach, rather than the breach itself, that is the true measure of a CISO's competence.
In the Optiv survey, 58% of CISOs said that having breach experience makes them more attractive to potential employers than having no breach experience. Surprisingly, CISOs seem to underestimate how boards now value breach experience: A whopping 92% of directors surveyed in the NACD report said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover.
Board/CISO disconnects are still a challenge for both sides. But at least now they seem to know they are both touching an elephant, and that's good news for any company that wants to reduce enterprise risk exposure.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"