Board-level cybersecurity engagement has improved in recent years, but progress is still painfully slow, according to 2021 research from Enterprise Strategy Group, a division of TechTarget.
Corporate boards' subpar cybersecurity literacy and security leaders' lack of business acumen have resulted in missed opportunities to align security and business objectives, leaving enterprises open to potentially catastrophic cyberthreats. In encouraging news, of 365 senior business, security and IT professionals surveyed by ESG, 85% said their boards of directors engage more meaningfully with cybersecurity strategies and decisions today than they did two years ago. Yet, more than two-thirds of respondents also said their organizations persist in viewing security as a "technology area" rather than a core business concern, despite the digital transformation well underway in the enterprise and increasing levels of overall cyber risk.
Jon Oltsik, senior principal analyst at ESG, said that, to understand cybersecurity, one first must understand IT -- and many corporate boards simply don't. "Let's face it: Typically, a board is composed of 60- to 75-year-old men who had some success in business, probably before or in the early days of the internet," he said. "They didn't have the acute cybersecurity issues then that we have today, so there's a gap."
Security professionals -- about 70% of whom hail from traditional IT backgrounds, according to ESG -- have also contributed to this cultural disconnect by framing cybersecurity board reports in technological rather than layman's or business terms, Oltsik added.
"Unfortunately, most CISOs don't know how to translate technology into business language or how to use common analogies and colloquialisms to get away from the 'bits and bytes' of cybersecurity," he said. As such, their presentations to boards -- which typically care about financial profitability rather than technical proficiency -- fall flat, ultimately leaving security teams without the support and resources they need to appropriately mitigate threats to the business.
Jon OltsikAnalyst, ESG
"If board members don't understand cybersecurity, they may unknowingly accept a phenomenal amount of risk without realizing it," Oltsik said.
Reactive vs. proactive cybersecurity board engagement
While ESG's research showed the typical board is becoming more engaged with cybersecurity issues overall, the survey data suggested that's often only because of an external catalyst, such as new regulatory compliance requirements or a data breach. Oltsik said the notorious 2018 Anthem Inc. breach, for example, triggered a reactive spike in board-level cybersecurity buy-in across the healthcare industry. "Every other organization said, 'If it happened to Anthem, it could happen to us,' and suddenly got religion," he said.
On a more positive note, a new CISO or the adoption of a formalized security program can also prompt an increase in cybersecurity participation in the boardroom. According to Oltsik, a savvy CISO will strategically court greater executive and director engagement by measuring cyber risk and preparedness from all angles and then explaining how the organization stacks up against industry peers, what needs to change and how much it would cost. "At that point, it's a business discussion, which is what it takes," he added.
Once a CISO has clearly communicated an existing or emerging cybersecurity risk and its implications for the business, its mission and its bottom line, the board has three options:
- accept the risk;
- mitigate the risk; or
- transfer the risk, such as with cybersecurity insurance.
Notably, ESG's research suggests proactive cybersecurity board-level engagement is growing but still relatively rare. Proactive engagement is driven by an overarching desire to strategically align security with organizational goals, rather than by external events. It requires an uncommonly high level of cybersecurity education, training and buy-in among corporate executives and directors.
How to advance cybersecurity in the boardroom and C-suite
About half of respondents in the ESG survey described their leadership teams as "very involved" in key cybersecurity activities, such as establishing budgets, prioritizing investments and establishing a security culture. While this suggests progress toward overall cybersecurity-business alignment in the enterprise, it also leaves much room for improvement -- with researchers describing executive and board involvement in security initiatives as still "cursory at best" in many organizations.
ESG offered six recommendations for advancing cybersecurity's standing in the C-suite and boardroom and throughout the enterprise.
1. Educate boards
ESG's survey responses indicated ongoing cybersecurity education at the board level prompts corporate leadership to take a greater and more proactive interest in cyber risk mitigation. But CISOs looking to single-handedly change the perception of cybersecurity in the boardroom have their work cut out for them, Oltsik acknowledged. As a result, many security leaders recruit independent experts to help educate their boards on cyber risk, a move ESG analysts described as an enterprise best practice. According to Oltsik, executives and directors tend to perceive third-party consultants and academics as having a high degree of credibility, bolstering the CISO's case for cybersecurity investment and creating a strong educational experience for the board.
2. Adopt a CISO-to-CEO reporting structure
CISOs should report directly to CEOs rather than to CIOs, most security experts agree. This reporting structure gives security a seat at the executive table, positioning CISOs to make meaningful contributions to the business and increasing senior leadership's exposure to cybersecurity issues. A CISO-to-CIO reporting structure, on the other hand, pigeonholes security leaders as technologists and undermines cybersecurity-business alignment.
3. Foster a cybersecurity culture
All employees should participate in cybersecurity training and understand the critical role security plays in the overall success of the business. Leadership should also make every department responsible for relevant cybersecurity goals and metrics, giving everyone an active role in protecting critical business assets.
4. Formalize the cybersecurity program
A formal, top-down security program articulates high-level strategies and controls that align with the business's vision and mission, making them explicit, actionable and trackable using clear documentation, KPIs and metrics. In addition to creating a roadmap toward a more secure enterprise, a formalized program also gives CISOs and boards a shared language with which to discuss cyber risk and security priorities, according to ESG.
5. Prioritize critical assets and initiatives
All cyber risk is not created equal -- a truth too often lost on the enterprise, the researchers said. Organizations should identify their most sensitive and valuable assets and create proportionally aggressive risk modeling, monitoring and mitigation strategies to protect them.
6. Hire BISOs
According to the ESG analysts, a business information security officer, or BISO, can complement the CISO's efforts by advocating for cybersecurity at a granular level within key business units, resulting in better overall security-business alignment on the ground.