For years there has been an understandable tension between security leaders and corporate boards working towards an equilibrium. This tension exists because cybersecurity is a relatively new practice in business as compared to financial management, which has well-defined and established linkage to the overall health of the business. Effectively and efficiently being able to communicate how cybersecurity performance supports the business and translates to risk and the bottom line continues to elude many organizations. In the 2021 annual Fortune poll of Fortune 500 CEOs, two-thirds responded that their biggest risk was cybersecurity risk. Given these realities, it’s no wonder why the Board is increasingly more involved in organizational cyber security practices. We’ve created our nSights Report that goes into much further detail, which you can find here.
To bring order from the chaos, it’s important to baseline what is a complex and evolving problem—that has no regard for industry or market vertical—and propose an encompassing thesis from which we smartly mature the state of cybersecurity programs. To do so, we have come up with three primary concerns that must be addressed to answer the call of the moment:
- A misalignment in understanding of risk tolerance between the board and security teams,
- A disparity in technical understanding and industry terminology, and
- A lack of meaningful and timely visibility into the day-to-day performance of the organization.
All these issues are interrelated in that the end goal for each is to align the board and security teams, but they also have their own unique challenges that need to be addressed. When a board has misaligned risk appetite with the security team, it can result in tension as a mismatch in risk mitigation priorities can create a rift between them. This rift can become a chasm if combined with a significant gap in technical understanding or poor communication without a shared lexicon. If the CISO can’t explain the on-the-ground situation of the organizations’ cybersecurity performance in a way that the Board can understand, then all efforts to align their interests are doomed from the start. Part of this comes down to a lack of standardized performance measurement practices in the cybersecurity industry, and it doesn’t help that it can be difficult to conceptualize the business risk from those that do exist.
The final issue is a lack of meaningful visibility into the organizations’ cybersecurity performance, one of the most difficult challenges to solve. Much of this issue currently rests in the ability of the CISO to simplify complex and nuanced security topics to a high-level summary that adequately contextualizes the issue for the board. Their interpretation of the current status and performance of an organization’s security posture needs to be as accurate as possible; at the end of the day, it’s their interpretation that the board will be hearing. Automating information gathering on cybersecurity performance is critical to establishing a thorough understanding of the organizations’ security posture, which in turn will be used to educate the board.
Boards of directors are now acutely aware of their active participation in this discussion, with almost half of Fortune 500 boards having cybersecurity as a strategic goal. Boards are asking better questions surrounding an organization’s cyber risk and how it is to be measured, to ensure directors are effectively able to carry out their duties. This requires greater investment in relevant reporting over time, but it also requires an alignment of risk appetites, lexicon, and future strategic direction for cybersecurity initiatives. It’s time to move our focus from amorphous measurements of the team’s activities in security to their achievement and value as it relates to the business.
For more detail, you can read the full nSights Report here: https://cnsight.io/insights-report-cyber-alignment-with-the-board/