CISOs in the Boardroom: Partnering with your CISO
The CISO has taken on a more prominent role in recent years. From the effort to maintain business as usual during the pandemic to facilitating secure remote and hybrid working long-term, a cybersecurity perspective is no longer just a helpful addition to business strategy. It is now essential.
But with greater influence and responsibility comes increased pressure, new relationships and a technical language barrier that’s not always easy to overcome.
So, what do CISOs think of the spotlight they find themselves under and is security still given the billing it deserves as the disruption of recent years slowly fades from memory?
Listening to the Voice of the CISO
Proofpoint’s 2022 Voice of the CISO report revealed that increased pressure from greater expectations is taking a toll on CISOs across all industries. One in two feel they are facing an impossible task due to excessive expectations of their role.
Adding to the large, demanding, and often thankless task facing CISOs is a perceived lack of support from the rest of the boardroom. Only a little over half say they see eye to eye with board members on matters of cybersecurity.
This disconnect can cause issues beyond strategy, too. More than half of global CISOs say their reporting line hampers their ability to do their job. Perhaps even more concerning is the finding that the same amount does not feel their organisation positions them to succeed.
Addressing the wider issue
While the increased prominence of the CISO role has undoubtedly contributed to the discontent felt by many, there is much more to these findings than just the events of the past few years.
In her recent podcast discussion with Human Factor Security’s Jenny Radcliffe, Proofpoint’s VP and Global Resident CISO Lucia Milică Stacy suggests there could be a much longer-standing issue:
“When we look at the beginning of the pandemic, when security leaders were shifting operations nearly overnight to continue to function, and the many examples of successful high-profile attacks, it’s clear that we have consistently failed to focus on cyber risk as a business risk, and cybersecurity as a business enabler."
And Lucia is not alone. Pinsent Masons LLP CISO Cristian Toon, who also took part in the CISO Voices podcast series, believes that organisational change is required if CISOs are to thrive in the boardroom:
“Excessive expectations are a result of poor risk management practices…. CISOs can’t be expected to protect the organisation continuously from all threats. If the business fails to mitigate risk, the board needs to step in and accept the greater risk of doing nothing.”
Viewpoints like these are certainly not uncommon. But while relations between CISOs and their wider organisations aren’t as close as we’d like them to be, there is much room for positivity. That such opinions are being aired and, most importantly, understood at the board level is a considerable improvement on the situation just three or four years ago.
A look ahead
While recent years have been challenging for organisations and CISOs alike, the good news is that both are seemingly aware of areas needing improvement.
Boards are increasingly acknowledging the importance of robust cybersecurity to organisational success and taking steps to involve the voice of the CISO much earlier in business-critical conversations. At the same time, CISOs are adapting to their changing roles and using their influence to enhance information protection solutions and drive more comprehensive security awareness training.
But the onus is on both the CISOs and boards to ensure that the platform now afforded to cybersecurity remains a permanent fixture.