{"id":16124,"date":"2020-10-26T04:31:02","date_gmt":"2020-10-25T17:31:02","guid":{"rendered":"https:\/\/cyberleadershipinstitute.com\/cyber-resilience-requires-the-board-and-the-ciso-to-be-aligned\/"},"modified":"2023-12-11T08:47:27","modified_gmt":"2023-12-11T08:47:27","slug":"cyber-resilience-requires-the-board-and-the-ciso-to-be-aligned","status":"publish","type":"post","link":"https:\/\/cyberleadershipinstitute.com\/cyber-resilience-requires-the-board-and-the-ciso-to-be-aligned\/","title":{"rendered":"Cyber resilience requires the board and the CISO to be aligned"},"content":{"rendered":"

\"\"<\/span><\/p>\n

A recent Deloitte study <\/span>disclosed that a <\/span>meager<\/span> <\/span>38% of Chief Executive Officers and 23% of board members were “highly engaged” in the subject. <\/span>This isn\u2019t surprising<\/span>\u2014<\/span>business executives and corporate directors have long perceived <\/span>cyber<\/span>se<\/span>curity<\/span> as highly cryptic. Sadly, m<\/span>ost executives <\/span>are only forced to participate in <\/span>cyber<\/span> resilience by a damaging <\/span>cyber<\/span> breach.<\/span> <\/span><\/span><\/span><\/p>\n

Meanwhile, regulators <\/span>keep tightening <\/span>pressure <\/span>on corporate directors to ensure their cyber governance mechanisms are effective and fit for purpose.<\/span> <\/span>Cyber resilience can only be achieved when the most senior business officers are deeply engaged in strategy setting and execution. <\/span> <\/span><\/span><\/span><\/p>\n

Based on our <\/span>interactions with cyber leaders who go through our <\/span>Cyber Leadership Program<\/span><\/span><\/a>, there is <\/span>a<\/span> <\/span>rising interest from the board and <\/span>C<\/span>-suite, keen to gain deeper insight into <\/span>cy<\/span>ber<\/span> risk and its implications to the business value chain. <\/span>Despite the enthusiasm, however, corporate directors find themselves frustrated this time around with complex cybersecurity reports and vain metrics. <\/span>We provide two practical tips to close this gap.<\/span> <\/span><\/span><\/span><\/p>\n

\n

Align cyber strategy and risk management to corporate goals<\/span> <\/span><\/span><\/strong><\/p>\n

To address this enduring challenge, cybersecurity professionals should raise<\/span> <\/span>their game, move away from numbing cybersecurity vocabulary, and learn<\/span> <\/span>to speak the language of the businesses they work with. Boards of directors<\/span> <\/span>have very limited time at their disposal and are not comfortable discussing<\/span> <\/span>ISO 27001 reports or NIST standards. Rather, they are concerned about<\/span> <\/span>how cyber risk will impact new product success, business growth, the cost<\/span> <\/span>of capital, innovation, customer trust, profitability<\/span>,<\/span> <\/span>and other crucial business<\/span> <\/span>priorities.<\/span> To get this right, <\/span>C<\/span>hief Information Security Officers<\/span> (CISOs)<\/span> must develop an i<\/span>n-depth<\/span> <\/span>understanding of business operations, value chain, strategic priorities, risk<\/span> <\/span>appetite<\/span>,<\/span> and regulatory environment. <\/span> <\/span><\/span><\/span><\/p>\n

This<\/span> <\/span>also requires CISOs to be provocative<\/span> <\/span>storytellers<\/span> replacing <\/span>\u201c<\/span>tech talk<\/span>\u201d<\/span> with relatable analogies<\/span> to persuade the board and executive management to <\/span>act<\/span>.<\/span> <\/span>Risk maps and detailed metrics are not <\/span>enough<\/span>.<\/span> <\/span>A<\/span>s<\/span> Harrison <\/span>Monarth<\/span> wrote in<\/span> <\/span>the Harvard Business Review, <\/span>\u201c<\/span>Data can persuade people, but it doesn\u2019t inspire<\/span> <\/span>them to act; to do that, you need to wrap your vision in a story that fires the<\/span> <\/span>imagination and stirs the soul.<\/span>\u201d<\/span> <\/span><\/span><\/span><\/p>\n

\n

Encourage board-level cybersecurity conversations<\/span> <\/span><\/span><\/strong><\/p>\n

As we have emphasized before, <\/span>cyber<\/span> resilience can only be attained when the board and <\/span>C<\/span>-suite are fully engaged in <\/span>the cyber<\/span> transformation agenda. The best way to align the <\/span>cyber<\/span>security<\/span> function and the board is to give the CISO direct access to the board. That way, the board can ask key questions and gain undiluted visibility into the enterprise’s key risks and strategic priorities. An alternative approach for boards that lack technical expertise is to in<\/span>vite outside management consultants with proven ability to inform the board if they are over or underspending <\/span>cyber<\/span>security. <\/span>Some of the key questions the board should ask include: <\/span> <\/span><\/span><\/span><\/p>\n