One morning in 2015, Joseph Carson began his presentation to a company’s board of directors about why its cybersecurity division deserved a budget increase. The firm, explained Carson, was uniquely vulnerable to the dangers of ransomware and supply chain attacks. If this project didn’t get the funding it needed, the company’s data would be at risk of multiple breaches, he said, inviting the kind of public and legal scrutiny that would see its stock plunging and his audience out of a job.
The board seemed suitably frightened. “The CEO and CFO came to me and thanked me afterwards,” recalls Carson. Then they denied the budget application. “That’s when I realised that we need to start changing.”
Seven years on, and it’s harder to imagine this same scene occurring in any boardroom. Cyberattacks are commonplace for large organisations, and board directors now view cybersecurity as the second-highest source of risk, behind regulatory compliance, according to a survey by analyst company Gartner.
Still, cybersecurity expertise is lacking on most company boards. Just 12% of chief information security officers (CISOs) surveyed by executive search firm Heidrick & Struggles last year have a seat on their corporate boards.
That could be about to change. In March, the US Securities and Exchange Commission (SEC) released a proposal that, if approved, will make oversight of corporate cybersecurity a legal responsibility of the executive board. In the UK, meanwhile, the government has made clear its plans to require listed companies to publish a 'resilience statement' with specific information on cybersecurity risks.
This growing awareness of cybersecurity risk means that 40% of boards of directors will have "a dedicated cybersecurity committee overseen by a qualified board member" by 2025, Gartner has predicted, up from less than 10% in 2020. CISOs with a seat on the corporate board could soon be a more common occurrence.
Questions remain, however, about how this will succeed in practice. Cybersecurity, after all, is a deeply technical discipline, and one that many find difficult to master. But having a CISO on the board isn’t just about teaching corporate officers a thing or two about basic security hygiene, explains Carson, now chief security security scientist and advisory CISO at Privileged Access Management (PAM) specialist Delinea.
Rather, it’s about triggering a top-down cultural shift in the business toward adaptive cybersecurity. Increasingly, says Carson, “my job is [about] business resiliency - and cybersecurity is my skill set.”
Cybersecurity is everybody’s problem
More and more businesses agree. Gartner's survey of board directors found that 88% view cybersecurity as not only a technical problem for IT departments to solve, but a fundamental risk to how their businesses operate. That’s hardly surprising, given the recent history of hacks against private businesses. Another study by IBM on the cost of corporate data breaches found that 83% of companies surveyed suffered a data breach in 2021, at an average cost of $4.35m - an all-time high for a report that has been running for 17 consecutive years.
Ensuring the CISO has a seat on the board is one way of ensuring a company has a firm handle on how to handle these risks to the business. Even so, says Andrew Rose, resident CISO at security company Proofpoint, they should be careful in how they communicate their concerns. “The 'sky is falling' narrative can be used once or twice, but after that, the board will become a bit numb to it all,” Rose explains.
Forcing boards to prioritise cybersecurity should instead be done through positive affirmation, argues Carson - and, ideally, be framed in how shoring up the company’s defences will help it perform better in the long term. “You need to show them how this is going to help the business be successful, how it will help employees to do their jobs better, provide value to the shareholders, [and] return an investment,” he says.
Over time, this might pull CISOs away from the nitty-gritty, technical side of cybersecurity. This is for the best, explains Greg Crowley, CISO at security company eSentire. They “should not be looked at as the person in charge of patching, the owner of all risk, or the guy preventing a breach,” says Crowley. “A CISO needs to be viewed as the leader and executive and, like other executives, needs to work across the organisation.”
This change in emphasis in the role has been so pronounced that, in some companies, the CISO has evolved into the 'BISO', or business information security officer. “They’re more in tune to business language and business structure and organisational structure, especially from a board perspective,” says Carson.
Over a third of enterprise-level companies have adopted the BISO as a line-of-business (LOB) leader tasked with collaborating with the CISO and the CIO, according to a recent threat report by Oracle and KPMG. There are also signs that these appointments are beginning to have the top-down, cultural impact that appointing a cybersecurity expert to the board is intended to achieve, with 53% of organisations surveyed employing, or planning to employ, a BISO to work with LOB managers to weave cybersecurity into business processes.
How effective will this be?
This is especially important given the current recruitment crisis afflicting the IT sector, and a doubling in ransomware attacks on private enterprises this past year alone. Ransom demands also continue to rise, explains a report by CyberEdge. The percentage of organisations bowing to the pressure of paying also rose from 45% in 2019 to a record-breaking 63% in 2022.
As such, there must be an understanding of what an IT team is actually protecting. “It's a society protection [issue] rather than just protecting devices, because we're starting to use these devices for everything,” says Carson. “We use them for communication, for banking, for sharing. It's a lifestyle that overlaps with business, and we have to assess the impact this has.”
Ideally, a successful, board-level CISO will not only ensure this message is heeded by his fellow executives, but also each department in their company.
That’s easier said than done. While an organisation may need a cybersecurity conduit to achieve security across the board, some are finding that there are few frameworks in place to adequately support such an innovation. The BISO role can create an environment that invites “centralised security functions to bypass or scapegoat the BISOs, causing the executives to try anything to show their value, often coming up short," warned Mike Privette, CISO of transpotrt Passport, in a recent blog post,
Carson agrees. “Unfortunately, sometimes the CISO in an organisation is not necessarily there to make change,” he says. “Sometimes they’re a scapegoat, sometimes they’re a checkbox,” he says.
For CISOs to work effectively, they must zoom out and view cybersecurity within a truly global context, and work with governments to ensure that what they’re doing inside their businesses is beneficial to the public at large. In short, explains Carson, triggering a cultural change within the company as to how it approaches cybersecurity is only the start of the job for the board-level CISO, because, in the end, he says, "it's not just about putting security in place to protect your organisation".
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.