FTI Consulting on Thursday reported that 85% of CISOs say that the prominence of cybersecurity on the board’s agenda has increased over the last 12 months, with 79% feeling heightened scrutiny from top leadership.
However, the lack of executive leadership understanding the role chief information security officers (CISOs) play in the organization (55%) prevents CISOs from articulating critical priorities. Some 53% also say their cybersecurity priorities are not completely aligned with C-suite leadership.
CISOs feel mounting pressure as the threat landscape increases, so much so that 82% of CISOs claim that they feel the need to positively exaggerate their role to their board. And, even as cybersecurity awareness grows, 58% of CISOs struggle to communicate technical language to their boards. FTI reported that 63% of CISOs feel their concerns are not aligned with senior leadership priorities, potentially leaving companies exposed to a possible incident or regulatory sanction.
“There’s increasing evidence that boards and leadership teams recognize the growing cybersecurity risk to their organizations,” said Meredith Griffanti, a senior managing director at FTI Consulting. “But our research found a clear communication disconnect between executive teams and their CISOs that’s hindering organizations from being fully prepared for this risk.”
Joseph Carson, chief security scientist and advisory CISO at Delinea, said CISOs must invest time listening to their executive board and business peers to learn how they measure their organization’s success. Carson said the CISOs role within cybersecurity is not to simply put technology in place for sake of security, but to put technology in place that contributes to business success, while ensuring cyber risks are either reduced or eliminated.
“The CISO must become the bridge between the board and the IT security team to ensure that a business-first approach is made with each and every security decision,” Carson said. CISOs need to make security a fundamental core to the business, and employees must never be afraid to speak out when they see something suspicious. Promote a culture where employees are never afraid to ask for advice or report suspicious activity, even if it was the result of something they clicked on. The earlier an employee reports something, the lower the potential impact and cost to the business it will have.”
Corporate boards need more actionable information based on what’s at stake if their environment isn’t aligned properly, said Robert Jenks, senior vice president of strategy and business development at Tanium.
Jenks said the reputational and business implications of a cyberattack can have lasting repercussions that erode a brand’s standing.
“As a result, we’ve seen boards across industries start to crave detailed, timely insight that will help them make more informed decisions,” Jenks said. “A primary component of that is strengthening the lines of communication with the CISO to ensure that areas of concerns are addressed with appropriate funding and resources.”