Cybersecurity is a now a top priority for board members. According to Help Net Security's report on a recent NYSE Governance Services/Veracode survey, over 80 percent of respondents said security was discussed at "most or all" boardroom meetings. But there's a disconnect: Sixty-six percent of those surveyed said they were "not fully confident their companies are properly secured against cyberattacks." Bottom line? Something's lost in translation between CISOs and the rest of the C-suite when it comes to the value of security programs. How can IT execs communicate the severity of the issue to create an actionable executive link?
Defining the Problem
According to a report from research firm Gartner, entitled "8 Practical Tips to Link Risk and Security to Corporate Performance," CISOs face an uphill battle in the boardroom. In part, the difficulty stems from the vast supply of available operational risk and security metrics; while "valuable for internal operations," these resources have little meaning for other board members. Furthermore, many enterprises still tackle cybersecurity issues using a siloed approach, limiting the efforts of CISOs to encourage broad adoption of security policies and procedures.
The result of this trouble communicating? CEOs and other decision-makers understand the connection between better IT security and the company's bottom line — but this understanding isn't carried forward into action when new technology initiatives are deployed or third parties are granted access to corporate networks. It's as though the C-suite hears CISO warnings but tunes them out, chalking them up to mere paranoia or attempts to bolster IT budgets.
Forging a Link
So how can CISOs get the message across? Help Net points to the notion of shared accountability — after a breach, directors and other stakeholders are more likely to hold CEOs accountable than other C-suite members, even the CISO. Network World, meanwhile, uses a restaurant analogy to make its point: Guests at a fancy restaurant who experience terrible service and receive bad food don't want to hear excuses about the chef being late and waiters being poorly trained. They have high expectations and rightly so, since they've paid good money for the experience. The same holds true for stakeholders and cybersecurity: Partners and customers don't care if organizational infighting or risky shadow IT decisions are responsible for a data breach — actions, not excuses, are required, and all members of the C-suite share equally in the success or failure of cybersecurity efforts.
There are several other ways for CISOs to demonstrate the value of security programs, including mapping risk to top cybersecurity concerns, for example. Rather than simply saying that a particular behavior or strategy leads to "risk," chief information security officers are better off detailing the potential damage to the corporate brand and the cleanup costs of a breach or theft of corporate intellectual property. As the Gartner report points out, however, it's also important to avoid the use of fear, uncertainty and doubt to convince other C-suite executives to support new cybersecurity initiatives. Instead, CISOs should find ways to directly link security programs to corporate goals and demonstrate how improved security measures can help meet or exceed these goals, in effect framing cybersecurity and budget discussions in a positive, proactive light rather than trotting out the familiar "doom and gloom" refrain.
Creating an executive link between the value of security programs and an organization's bottom line requires a new breed of CISO — one able to read C-suite members as well as technical manuals. With an approach that combines shared responsibility, risk mapping and goal setting, however, it's possible to bend the ears of other board members and make cybersecurity an integral part of any corporate strategy.
Photo Source: StockSnap