4 Things Boards Should Know, 4 in 10 Orgs Don’t Have a CISO, & Creating Culture – BSW #241

In the SolarWinds lawsuit, the more significant issue is really not that the Board allegedly knew about the risks; it’s that they reportedly knew and then did nothing to prevent or mitigate it. In 2021, the role of the Board has shifted to limiting the damage of these attacks and ensuring those risks are accounted for by their organization. What the Board needs from its CISO is clear communication on what projects you have in place and how they relate to existing and potential threats.

Here are four things your CISO wants your board to know. 1. In Order to Adequately Protect an Organization, Your Cybersecurity Budget Should be More Than 1% of Your Overall IT Spend 2. It’s Impossible to Provide Metrics on how Many Advanced Persistent Threats You’ve Blocked in the Past Month 3. Building a Culture of Cybersecurity as a Top-down Strategy is Imperative 4. Align Your Cybersecurity Strategy to an Acceptable Framework that Demonstrates Maturity Over Time

Organizations across the world have experienced swift changes in their business operations during the new normal. In particular, the adoption of the distributed work environment became a challenge for many companies, resulting in the rise of cyberattack risks. Several enterprises have increased their cybersecurity budgets to deal with new cybersecurity challenges. As the struggle of mitigating cyberthreats seems to surge, some organizations are wary about hiring security professionals. A recent analysis from cybersecurity solutions provider Navisite revealed that over 45% of organizations don’t employ a Chief Information Security Officer (CISO). Of this group, 58% think their company should hire a CISO.

If you're a CIO charged with maximizing security outcomes, while at the same time ensuring projects are implemented and everything "just works," focus on strengthening your relationships with those who can help you. Security is about buy-in, and it's especially important for those who don't fully understand it.

Here’s how leaders can build great teams, even when those teams aren’t together in-person all the time. 1. Make work purpose driven. 2. Trust your people more than feels comfortable. 3. Learn in the small moments. Send people — and yourself — nudges. 4. Provide clarity. Be more decisive than feels comfortable. 5. Include everyone. Take a long hard look in the mirror.

Think about cybersecurity not as an IT issue, but as a senior executive and leadership issue. Cybersecurity and cyber protection are often thought of as reactive measures, but organizations need to start seeing cyber protection as a way of planning. Similar to financial planning, cybersecurity should be incorporated as a part of everyday business. It's not an add-on; it should be embedded in the organization, or "embedded endurance strategy".