Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/21/2020
10:00 AM
Joe Schorr
Joe Schorr
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get CISOs & Boards on the Same Page

These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions.

Remember the old parable of the blind men touching the elephant? Its lesson is that perspective determines our conclusions, and that we risk missing the big picture if we forget that. Which, in turn, brings us to chief information security officers (CISOs) and boards of directors. For years, these two groups have talked past each other, each hobbled by their own tunnel vision.

More commonly, here's how that might manifest. The CISO likely looks at the board and thinks, "That's the money guy… and she's the lawyer." And what they have in common is little to no understanding of cybersecurity.

Conversely, boards often view CISOs as just another IT staffer, the woman who tries to stop hackers. And a quality CISOs often share is that they can't explain the return on the board's investment or talk about risk in a way that's meaningful to CXOs and directors.

In the end, neither side understands the other and they fail to unite around their common mission: mitigating enterprise risk. According to two recent studies, however, each side seems to be gaining some vision. Optiv Security's "The State of the CISO" report and NACD's "Public Company Governance Survey" provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity.

A Convergence of Goals
CISOs historically have had trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. On the other side of the table, directors are left wondering how cybersecurity maps to enterprise risk and business enablement, so they view CISOs as technical personnel rather than true C-level business executives.

However, Optiv's report, which surveyed 100 CISOs from the US and another 100 from the UK, shows that this gap in perception is narrowing considerably. Some 96% of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86% said they are getting more funding for their programs because of this improved understanding.

Similarly, NACD's survey of directors found that 79.3% of board members believe their board's understanding of cyber-risk has significantly improved compared with two years ago. Only 8.7% indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.

Lingering Disconnects
The communications gap between CISOs and board members appears to be narrowing, but there is still a disconnect when it comes to business priorities. According to the Optiv survey, 76% of CISOs feel that cybersecurity has become so important in their organizations that "CEO tracks" for CISOs will start to emerge. A full 70% of US respondents and 64% of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.

NACD's survey does not quite support this sunny CISO perception. Only 28% of responding directors said they prioritize security above all else, even if it slows down business, and 61% said that cybersecurity should not be prioritized above overall business velocity. This perception gap likely would have been wider just a few years ago (prior to directors and CISOs hiking up their respective learning curves), so things seem to be headed in the right direction for CISOs. Nevertheless, the surveys show that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity today.

Breach Experience: A Scarlet Letter?
One of the most interesting findings across the two surveys is how CISOs and boards view CISO data breach experience. Experiencing a breach was once a "scarlet letter" for CISOs — sometimes costing them their jobs and definitely not something to feature on a resume. Both the Optiv and NACD surveys show this is no longer the case. Boards have a general understanding today that breaches are often unavoidable and that it is the response to the breach, rather than the breach itself, that is the true measure of a CISO's competence.

In the Optiv survey, 58% of CISOs said that having breach experience makes them more attractive to potential employers than having no breach experience. Surprisingly, CISOs seem to underestimate how boards now value breach experience: A whopping 92% of directors surveyed in the NACD report said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover.

Board/CISO disconnects are still a challenge for both sides. But at least now they seem to know they are both touching an elephant, and that's good news for any company that wants to reduce enterprise risk exposure.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Joe Schorr has more than 25 years of professional services and industry experience in information and cybersecurity and currently leads the executive services directors at Optiv. Joe is also a director on the Leading Disruptive Innovation Advisory Board at Stetson University ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).