CISOs in the Boardroom: Why Executive Involvement is Critical for Cybersecurity

Click here to listen to this article via the BreachRx Blogcast

In recent years, the threat of cyberattacks has become more and more of a concern for organizations of all sizes, leading many to recognize the need for a strong, proactive approach to cybersecurity. One crucial component of a strong cybersecurity strategy is the presence of security expertise in the boardroom, particularly that of a Chief Information Security Officer (CISO) or similarly-experienced security expert, who can work closely with the board of directors to ensure that the company is fully prepared to defend itself.

According to a report by DHR Global, the presence of a CISO in the boardroom is a key factor in the overall state of cybersecurity for the top 500 public companies in the United States. The report found that companies with a CISO in the boardroom were more likely to have a strong cybersecurity posture and were better prepared to respond to cyber threats. It also noted that these boards were more likely to be aware of the growing cybersecurity challenges from global compliance and regulatory requirements, such as the impending US Securities and Exchange Commission (SEC) guidance on board and executive cybersecurity accountability and incident reporting.

Similarly, the recent World Economic Forum (WEF) Global Cybersecurity Outlook 2023 report highlighted that “data privacy laws and cybersecurity regulations [are] an effective tool for reducing cyber risks.” While executives aren’t necessarily fond of being required to follow these requirements, the report notes a “notable shift in perception” that might be perceived as acceptance that it’s going to take the rule of law to get themselves and companies in their supply chains, including their boards, to change their approach. 

These reports show a common trend: organizations with security executives interacting with business leaders were far more likely to have more effective security. These organizations were more likely to have a formal incident response approach, hardened defenses, and awareness and training in place that reduced the impact of incidents, as well as the dedication to allocate a higher portion of their information technology budget towards cybersecurity readiness and resilience. Unfortunately, not enough companies are this mature in their approach.

Boards Lack Preparedness for Cybersecurity Risks and Regulations

Are company boards prepared? In short, no. A survey conducted by DHR, along with a number of other reports, reveal that most companies are unprepared to tackle cybersecurity risks and comply with emerging regulations. For example, out of the five hundred company boards DHR surveyed:

• Only 1.4% have a current or former CISO,
• Only about one quarter have a current or former chief information officer (CIO),
• Only 2.4% have created cybersecurity committees, and
• Nearly two-thirds have assigned cybersecurity to their already heavily-burdened audit committee.

While boards have recently turned some attention to cybersecurity, many are trapped in a more traditional focus, limited to the technology defenses protecting the organization from cyber attackers, as opposed to recognizing the broader, more strategic risks coming from entities outside the organization, whether from cyberattacks, data breaches, or aggressive regulators.

To understand the scale and potential impact of these risks, boards need to look to their customers, partners, and regulators. For example, the impact of new cybersecurity regulations on boardrooms is highlighted by Harvard Business Review (HBR), which notes that organizations are under increasing pressure from regulators around the world to demonstrate their ability to respond effectively to cyber threats and incidents. The HBR authors argue that the board of directors have a responsibility to be aware of these regulations and the potential consequences of non-compliance, and must demonstrate a clear understanding of the organization’s incident response plan in order to ensure it meets the necessary requirements from regulators and other outside drivers.

56% of security leaders in the WEF survey reported now meeting monthly or more often with their board. During their interviews, leaders reported improvements through “public statements by government as well as regulation help boards understand the need to assign resources” with the recognition that “regulation incentivizes action on cybersecurity but doesn’t directly lead to resilience within an organization.”

However, despite the growing importance of cybersecurity, many organizations still struggle with developing a strong strategic approach, to include an incident response plan, and ensuring its effective implementation. As noted in an analysis by OODA Loop, many companies and their boards have adopted a “whack-a-mole” approach, reactively addressing the need for education, cybersecurity governance, and dealing with individual incidents as they arise without a comprehensive understanding of the root causes and without developing a broader, proactive plan for protecting their businesses.

WEF reports that in most cases, CISOs still report into parts of the organization with an “inherent conflict of interest,” because those leaders might not be properly incentivized to fund security adequately over other business priorities. However, the survey found that when those organizations faced an incident, they prioritized and funded cybersecurity and data protection. While the tension between the business and security is a problem for company leaders to deal with, the ultimate strategic approach needs to be addressed by the board of directors. 

Proactively Approach Cybersecurity with Incident Response Planning

To overcome these challenges, organizations must take a proactive, strategic approach to cybersecurity. A great place to start is incident readiness and response planning. Why? Because while it also addresses how a business will quickly and effectively respond to a cyberattack or data breach, to protect its customers and reputation, it also helps ensure the business is properly aligning its security program to the actual threats it faces, rather than throwing technology at the problem and essentially hoping it works.

To that end, one of the best places boards can start is with their organization’s business continuity and disaster recovery plans. They can work with their organization’s security and operational leadership to identify the core operations that require continuity to the potential for impacts on those operations from potential cyber threats to the organization. From there, it’s key for boards to ensure their organization puts defenses in place and develops proactive plans for addressing each specific potential incident, rather than just a single, boilerplate policy that’s of little use during any incident. At that point, the board can work strategically toward ensuring the implementation of regular risk assessments, ongoing training and awareness programs, and regular assessments where lessons learned can be leveraged to update those incident response processes and plans. 

Having a CISO in the boardroom who can provide expert guidance and trusted support for this process among others is essential to ensuring that the board of directors has a full understanding of the organization’s cybersecurity posture and for developing these incident response capabilities. In fact, the Digital Directors Network notes that boardroom readiness is crucial for ensuring that the organization is fully prepared to respond to cyber threats and regulations. They argue that both the business and technology executives must have the necessary skills and knowledge to effectively engage with the board of directors and both provide and capture valuable insights and recommendations for defending the business from attacks while avoiding onerous, additional regulatory requirements and oversight.

How to Develop an Effective Incident Response Program for Your Board

One of the biggest challenges faced by boards of directors is a lack of understanding in the overarching security program, such as the importance of incident response and how it should be integrated into their overall security and privacy strategies. To address this, board members should seek education and training on incident response best practices and the importance of a holistic approach. Boards can start with a primer from a former or current CISO on the board or in the business.

Many organizations insufficiently plan for incident response, and lack comprehensive incident response plans that take into account all relevant legal, regulatory, compliance, and communications requirements and deadlines. To address this, boards should work with their security, privacy, legal, and communication teams to develop a comprehensive incident response plan that covers all aspects of incident response. One common key failing in many businesses is a myopic focus on security alone, leaving businesses at serious risk of a chaotic response as other teams are brought in to a response for the very first time.

Another challenge faced by many organizations is a lack of resources, including staff and budget, to effectively implement and maintain a robust incident response program. To address this and as noted above, boards should start with and prioritize incident response as a key component of their security and privacy strategies, working backwards from potential impacts to allocate the necessary resources to ensure the organization’s readiness and resiliency.

Incident response often involves coordinating with a variety of external parties, including law enforcement, regulatory agencies, and customers. To address this, boards should ensure that their incident response plans are linked to specific threats to the business itself, and include clear guidelines for communicating and coordinating with the range of external parties depending on the data and/or operations impacted.

Finally, without regular testing and validation of incident response plans, organizations are at risk of having plans that are outdated based on changes to the organization or that do not work as intended because they’ve never been practiced or used. To address this, boards should ensure that their organization regularly tests and validates incident response plans, and should even take part in such exercises, to ensure that they are effective and ready for use in the event of an incident.

Ultimately, the presence of a security expert in the boardroom, coupled with a comprehensive set of integrated incident response plans is essential for protecting an organization from the consequences of a security or privacy incident, and ensuring that organizations are fully prepared to respond to cyber threats and regulators worldwide. By taking these steps, organizations can ensure that they are fully prepared to respond to inevitable future incidents, minimize their damage, and protect their reputation and most importantly, their customers.