Cybersecurity governance requires improvement among boards, according to a study.
In the face of escalating cyber threats, boards and Chief Information Security Officers (CISOs) are forging stronger partnerships to bolster their organisation's cybersecurity preparedness.
The board, as the ultimate overseer of an organisation's cybersecurity readiness, must ensure there is sufficient knowledge, accountability, and resources to manage cyber risks effectively. To achieve this, boards are cultivating cyber literacy, understanding cybersecurity as a business risk, asking informed questions, demanding transparency, and holding leadership accountable for effective cyber risk management.
The CISO's role is pivotal in this context. They are tasked with developing and leading enterprise-wide information security strategy, policies, and programs. Crucially, the CISO acts as the bridge between technical cybersecurity teams and the board, translating complex security issues into business terms, providing regular updates, and ensuring that the board and executives understand cybersecurity risks and mitigation efforts.
To address the knowledge gap and improve cybersecurity preparedness, boards and CISOs must take several steps. Firstly, they should build board cyber literacy by ongoing education on cybersecurity risk management and terminology. Secondly, they should establish clear accountability by defining roles, such as making CISOs accountable not only for IT security but also for operational technology (OT) security where relevant.
Improving reporting structures is another crucial measure. This can be achieved by implementing direct communication channels between CISOs and the board, including routine risk briefings, incident reporting, and updates on compliance status. Developing unified governance that merges IT and OT security teams where needed is also essential, ensuring domain expertise is maintained while improving oversight and reporting pipelines to the board and regulators.
Risk-based reporting that contextualizes cyber threats in terms of business impact is another key aspect. This helps leaders understand priorities and resource needs. Incorporating legal counsel into governance is also important to ensure compliance and protection for cybersecurity leaders.
Elevating the CISO to the executive team allows them to regularly report to the board and answer questions. The potential penalties for cyber incidents are growing, making it essential for CISOs to report to higher levels in the organisation, including the board, due to SEC requirements. However, many organisations still have the CISO reporting to the CIO, CTO, or CFO.
Experienced board director, Rob Clyde, emphasises the importance of every board director being proficient in cybersecurity. A survey by the Corporate Governance Institute found that nearly 60% of respondents didn't receive sufficient cyber resilience training in the last 12 months. Organisations prioritising cybersecurity are more likely to have the CISO report to them directly.
Boards need actionable information, such as real-time data on the effectiveness of controls in mitigating business risks. Boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy.
In summary, boards must become cyber literate and demand meaningful, risk-focused reports from CISOs, who should deliver clear, consistent communication and integrate cybersecurity into enterprise risk management. This partnership enables more effective decision-making and preparedness. Enhanced reporting lines, educational efforts, and unified IT-OT governance are key measures to close the preparedness gap and strengthen cybersecurity management across the organisation.
The board, as the ultimate overseers, should ensure accountability and resources for effective cyber risk management, including building cyber literacy and establishing direct communication channels with CISOs for risk briefings and updates. The CISO's role is vital, tasked with developing information security strategies, translating complex issues into business terms, and ensuring cybersecurity risks and mitigation efforts are understood by the board. To close the preparedness gap, boards and CISOs should take steps such as improving reporting structures, risk-based reporting, and unified IT-OT governance, with the CISO being elevated to the executive team for regular reporting to the board.
