How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

COMMENTARY

Cybersecurity has never been more critical for responsible corporate governance, as cyberattacks are among the gravest threats to companies' customers, operations, and reputations. 

Boards must invest in cybersecurity-awareness training programs to prepare the entire workforce for evolving cyber threats, and chief information security officer’s (CISO) have to champion this effort.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — particularly on the board. Board members often lack the necessary knowledge to make informed decisions about the company's cybersecurity posture, and it's the CISO's job to educate them in a clear and compelling way. CISOs must demonstrate how much damage cyberattacks can cause, the ways employees can be equipped to identify and prevent these attacks, and how to maintain accountability for their risk-mitigation program.

5 Top CISO Communication Strategies

There are several strategies that will help CISOs earn long-term support for awareness training from their boards, from communicating cybersecurity concepts in an engaging and non-technical way to showing board members that cybersecurity programs offer significant ROI. Let's take a closer look at the top five ways CISOs can show boards that it's time to prioritize cybersecurity.

1. Know how to communicate with non-technical audiences.

While almost three-quarters of CISOs say they have "adequate exposure to the board," a majority of CISOs report that their board lacks "knowledge or expertise to respond effectively to their presentations." CISOs must do more to address this disconnect — a process that begins with evaluating how they communicate with board members.

Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, revealing how cybercriminals deceive and manipulate their victims, and explaining that the right behavioral interventions can enable all employees to resist cyberattacks. CISOs can also highlight concrete examples of cyberattacks.

With boards planning to increase their cybersecurity investments, it's essential for CISOs to clearly highlight the value of risk mitigation strategies like awareness training.

2. Focus on the entire cyber-impact chain.

According to IBM, the average cost of a data breach surged to $4.45 million in 2023. Cyberattacks can also lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce. This is known as the cyber-impact chain — a crucial concept for CISOs to discuss with board members.

Boards need to be aware that the effects of cyberattacks extend well beyond immediate financial burdens. At a time when 86% of consumers are worried about data privacy, a major cyberattack can undermine trust for years. As data regulations become increasingly strict, companies will be held accountable for compromised customer information.

CISOs have all the information they need to educate boards about the consequences of cyberattacks. They just have to present that information in a way that will hold board members' attention.

3. Stress the human element.

CISOs have the knowledge to explain how prominent cybercriminal tactics are thwarted. For example, 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.

There are several ways for CISOs to productively discuss the threat of social engineering with their boards. They can provide hard evidence for the impact of social engineering attacks, explain how awareness training arms the company to prevent these attacks, and emphasize the most effective ways to educate employees. Cybersecurity is everyone's responsibility, which is why CISOs must make the case for fully engaging employees with consistent, entertaining, and relevant awareness training content.

Awareness training is one of the best ways to mitigate the financial impact of data breaches as it can help companies keep pace with emerging cyber threats and be personalized to account for individual psychological susceptibilities and learning styles. As long as social engineering remains integral to the majority of cyberattacks, CISOs will need to prioritize human-oriented cybersecurity.

4. Outline how awareness-training programs can be measured.

As investments in cybersecurity rise, CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.

CISOs must make sure employees are learning what they need to know about the most urgent cyberthreats and tactics. Companies can use assessments such as simulated phishing to expose vulnerabilities and determine whether employees are able to apply what they've learned in real-world scenarios. These tests are especially valuable considering that phishing is the most frequent and second-costliest initial attack vector, according to IBM.

Beyond simulated phishing, CISOs can outline other forms of accountability to the board: employee-specific behavioral risk profiles, organizationwide security evaluations, and proactive incident reporting. These are all ways to reassure the board that resources allocated to cybersecurity are being put to good use.

5. Secure long-term support.

Despite the growing concern about cyberattacks, too many companies still treat cybersecurity as a check-the-box exercise. They rely on a few email PSAs or perfunctory cybersecurity presentations a couple times a year, which fail to provide employees with consistent and engaging content that will secure sustainable behavioral change.

Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale. Consistency is also necessary to reinforce what employees learn and identify weaknesses, such as the psychological vulnerabilities cybercriminals exploit. The goal of a security-awareness training program is to create a culture of cybersecurity at every level of the organization which can adapt to these challenges.

Cybercriminals are constantly developing increasingly sophisticated and effective ways to infiltrate companies by manipulating employees. This is why CISOs must secure long-term support for effective cybersecurity initiatives like a customer-satisfaction score (CSAT) from their boards — the threat is only becoming more dire, and companies have a responsibility to be prepared.