As cybersecurity increasingly influences business decisions and tech investments, CISOs have evolved from technical experts to business leaders. Therefore, they deserve a seat at the table and a voice in driving business outcomes. Research supports this with Gartner predicting that 70% of boards will include one member with cybersecurity expertise by 2026. Some organizations are already ahead of the game with CISO board representation. According to a Heidrick & Struggles survey, the share of CISOs on corporate boards doubled from 14% in 2022 to 30% in 2023.
In this article, we will explore the importance and benefits of having a CISO on the board, the challenges of finding and retaining board-ready CISOs, and practical tips for CISOs to communicate with the board effectively.
WHY CISOS MUST BE ON THE BOARD
SMOOTHER CYBERSECURITY-RELATED INVESTMENTS
CISO involvement in business decisions also means a smoother buy-in process from the board, especially with cybersecurity-related investments. Encouragingly, CISO relationships with the board are improving, with 53% of directors communicating with security leaders regularly and 65% of board members seeing eye-to-eye with CISOs (Proofpoint).
Findings from a recent IDC study state:
- 90% of executives reveal that CISOs are involved in important business innovation decisions
- 60% state that cybersecurity leaders attend board and management meetings
- 77% note that the personal influence of the CISO has increased
According to Merritt Baer, CISO of Reco, a growing number of CISOs are reporting directly to CEOs. This closer relationship with business-driven C-levels allows CISOs to align security objectives with business goals, integrate cybersecurity into organizational culture, and most importantly, ensure budgets are optimized for the right cybersecurity initiatives.
IMPROVED COMPLIANCE WITH TIGHTER REGULATIONS
Boards now need to add a heavy item to their agenda – rising cybersecurity compliance and governance expectations.
Following the July 2023 announcement by the U.S. Securities and Exchange Commission (SEC), U.S.-listed companies are now required to publicly disclose cyberattacks and share subsequent incident response plans within four business days. This proposal also includes a compulsory annual report on the boards’ cybersecurity knowledge and how they are informed about cybersecurity risks. This has set a global precedence, with similar regulations expected in Europe and APAC.
Boards that don’t have a member with cybersecurity expertise will find themselves in a pickle. Worryingly, 98% of company directors do not have cybersecurity expertise (The Wall Street Journal). Additionally, Korn Ferry found that a pitiful 1.4% of companies have a current or former CISO on the board. Considering the rapidly developing regulatory landscape, CISO representation on the board is no longer performative – it’s a requirement.
STRONGER CYBERSECURITY PRACTICES
Cyberattacks and data breaches are costing businesses millions of dollars.
For instance, data breaches cost USD4.45 million in 2023, up 15% from 2020, according to IBM’s Cost of a Data Breach Report 2023. Detection and escalation costs are now the highest portion of breach costs, jumping 42% since 2020. According to PwC, companies with more than USD10 billion report breaches of USD7.2 million while those companies with less than USD1 billion report USD1.9 million in damages.
An organization’s reputation is on the line not only as a victim of a major cyberattack, but also if discovered that its CISO is underrepresented and underappreciated. Benjamin Frost, a Senior Client Partner in Korn Ferry says, “From a boardroom perspective, after a major data breach, if it’s suddenly discovered that your CISO is a fairly minor player within the organization, that’s not a good look from a litigation standpoint.”
A common reason an organization fails to implement effective security practices is the lack of communication between the CISO and the executive board. CISOs also tend to overlook that the board has limited understanding of cybersecurity complexities.
BOARDS MUST WORK HARDER TO RETAIN CISOS
Being a CISO is stressful, and many of them don’t want to do it for long, leading to challenges with retention.
A study by BlackFog found that almost 33% of CISOs are considering resigning, citing poor work-life balance and too much time spent on “firefighting” over meaningful work. It’s no surprise that the average tenure for a CISO is only 24 to 48 months (Coalfire).
Therefore, organizations must motivate and build CISOs into business leaders and map their career trajectories more clearly. A Korn Ferry study reports that one in four security leaders may leave the industry by 2025, potentially due to limited professional advancement opportunities. Many CISOs aim to report directly to the CEO, and for good reason—80% of tech security leaders who do so receive the funding they need for security initiatives.
Addressing this challenge requires more than technical skills. CISOs must have strong business acumen and political savvy to navigate cross-departmental dynamics, which does not come naturally for more technical CISOs. Robert Hansen, Managing Director of Grossman Ventures says, “Having looked at over 100 different CISOs, the ones that tend to do the best are business-centric CISOs. They tend to be the ones that are able to come to the table, work with the board and the executive team, and work across departments in a positive proactive manner.”
HOW CISOS CAN SPEAK ‘BOARD’ LIKE A PRO
It’s not enough that CISOs have a seat on the board, they must initiate important conversations surrounding cybersecurity strategies and break them down for the board in a digestible manner. Each board member should know:
- The company’s most valuable assets, where they are located, and how they are protected.
- What is at risk and the visibility into making the right investments and deploying resources to address those vulnerabilities.
- Whether the organization leverages continuous monitoring to achieve business goals and remain cyber resilient in the event of a breach.
- How cyberattacks impact the company’s bottom line.
How can CISOs communicate the strategies above successfully? Dr. Aleksandr Yampolskiy, globally recognized cybersecurity innovator and Forbes contributor, advises security leaders to:
- Leverage cyber risk quantification to highlight the economic impact of cyber risks by translating potential financial impacts into clear numbers. Focus on key figures that aid board decision-making. For example, inform board members that a $300K investment in a product can prevent a $2 million revenue loss from website disruption.
- Conduct tabletop exercises that simulate cybersecurity incidents and define specific roles and responsibilities. These exercises help the board understand the organization’s incident response plan and identify gaps in an interactive manner.
- Bring in a cyber expert to bridge the communication gap between CISOs and the executive board. This expert can help security leaders develop effective strategies for addressing security challenges and reduce the pressure and responsibility on the CISO alone.
Furthermore, LaLisha Hurt, a three-time CISO and public sector industry advisor at Splunk emphasizes researching each member’s background and their unique concerns. “Present security as a business enabler and not a cost center,” in addition to interjecting dollars and numbers wherever possible to describe the impact.
In today’s complex cybercrime and compliance landscape, it’s crucial for CISOs to be heard by the board. They also must be provided with the necessary support and resources to perform effectively and avoid burnout. Security and compliance should not rest solely on the CISO’s shoulders; the board must share the responsibility. At the same time, CISOs need to enhance their business and communication skills to gain the board’s respect. Cyber resilience and culture start at the top, and CISOs need to lead the way.