Cybersecurity has clearly become an important board-level priority. In fact, more than 80 percent of respondents to a NYSE Governance Services/Veracode survey reported that cybersecurity is discussed at most or all boardroom meetings. At the same time, a surprising 66 percent are not fully confident their companies are properly secured against cyberattacks.
Pressure has been mounting in the boardroom following multiple high-profile breaches leading to C-level changes. In fact, many board members are now being tasked to personally manage cybersecurity as a risk area, according to ISACA. This has created a need for CISOs to better understand board member perceptions and become more effective at communicating their cybersecurity strategies in the boardroom.
Based on survey results across a variety of industries – including financial services, healthcare and technology – board members clearly understand the connection between cybersecurity and the bottom line. Yet the results also reveal a significant disconnect when it comes to how board members prioritize cyber risk when introducing new technology-based products or services.
While it’s refreshing to see cybersecurity risk move higher on the board’s agenda, board members ranked it second to last in priority when developing new products and services (behind other concerns such as competitive differentiation, revenue potential and development costs).
Key insights from the survey that CISOs can use when presenting to the board in include:
Map risk to top cybersecurity concerns. Respondents listed brand damage, breach cleanup costs and theft of corporate intellectual property – leading to loss of competitive advantage – as their top three cybersecurity worries.
Gain visibility into third-party risk. More than 70 percent of respondents reported having significant concerns about the risk posed by third-part software in their supply chains.
Use risk metrics. When asked how they would like cybersecurity information to be presented, nearly two-thirds of respondents indicated a strong preference for either risk metrics or high-level strategy descriptions rather than descriptions of security technologies.
Demonstrate business and communications skills. In addition to technical skills and experience, respondents listed business acumen and strong communication skills as the top three qualities that strong CISOs should possess.
Encourage shared responsibility. After a breach, board members said they are more likely to hold the CEO accountable – signaling a shift away from putting the onus squarely on the CISO.
“CISOs should leverage the momentum created by the board’s increased focus on cybersecurity to build consensus and support around what it takes to reduce risk for the business, across people, process and technology,” said Chris Wysopal, CISO at Veracode. “There will be bumps in the road for everyone involved, especially now that the board is becoming an active participant in what was once a deeply technical domain. This requires CISOs to expand their skillset and get comfortable describing cyber risk relative to other business priorities and board-level concerns.”
Methodology: The “Cybersecurity in the Boardroom” survey was conducted electronically over the course of four weeks in March and April 2015. All of the nearly 200 respondents are board directors of public companies, with 78 percent serving on one to three executive boards.