December 19, 2019
December 19, 2019
Few board-level topics have been as noteworthy or confusing in recent years as cyber risk, and with it, the changing role of chief information security officers (CISOs).
A pair of interesting studies released in recent months, Optiv Security’s The State of the CISO and NACD’s 2019-2020 Public Company Governance Survey, provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity, and perhaps even more interestingly, how they view their work relative to how others perceive their roles.
The stereotypical storyline of the board-CISO relationship goes a little like this: CISOs have trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. As a result, directors think of CISOs as technical personnel rather than true C-level executives, and CISOs think board members just don’t get cybersecurity.
However, Optiv’s recent report, which surveyed 100 CISOs from the United States and another 100 from the United Kingdom, indicates that this gap in perception is narrowing considerably. Ninety-six percent of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86 percent said they are getting more funding for their programs because of this improved understanding.
Similarly, NACD’s most recent survey of directors found that 79.3 percent of board members believe their board’s understanding of cyber risk has significantly improved compared to two years ago. Only 8.7 percent indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.
While the communication gap between CISOs and board members appears to be narrowing, there is still a bit of a chasm when it comes to business priorities. According to the Optiv survey, 76 percent of CISOs feel that cybersecurity has become so important in their organizations that “CEO tracks” for CISOs will start to emerge. Seventy percent of US respondents and 64 percent of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.
But NACD’s survey shows that directors are not quite on the same page when it comes to business priorities. Only 28 percent of responding directors said they prioritize security above all else, even if it slows down business, and 61 percent said that cybersecurity should not be prioritized above overall business velocity. While these numbers undoubtedly would have been far lower just a few years ago (before directors began scaling the cybersecurity learning curve), they indicate that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity.
Perhaps the most interesting finding across the two surveys is how CISOs and boards view CISO breach experience. It was not long ago that a breach hitting the headlines was a career-limiting event for CISOs. Today, there is a greater understanding from boards that breaches are often unavoidable, and it is the response to a breach that is the true measure of a CISO’s performance.
In Optiv’s survey, 58 percent of CISOs indicated that having breach experience on their resume increases their chances of being considered for other CISO roles. This is a far cry from just a few years ago, when a data breach was a “scarlet letter” on CISO careers, and indicates a significant shift in how senior executives and boards view CISOs and data breaches.
However, NACD’s survey validates that CISOs are actually underestimating the value of breach experience on their career paths compared to how directors view such skills. Ninety-two percent of directors surveyed said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover from a breach incident.
These are only a few data points on the complicated relationship between CISOs and their boards. However, the Optiv and NACD surveys do reveal several important trends:
The cyber risk landscape is constantly evolving, and so shall the relationship between CISOs and boards. It will be interesting to watch how things progress in the years to come.
Mark Adams is the senior practice director of risk transformation at Optiv.