Risk Management
Why CISOs need to leap a C-suite credibility gap
Everywhere you look today there are signs of elevated cyber risk.
Everywhere you look today there are signs of elevated cyber risk. There have been a number of examples recently where sophisticated state-backed snooping has lead to breaches and threat actors posting large quantity of stolen info online.
To avoid becoming the next victim, organisations need their boards to nurture a strong relationship with the company’s CISO, based on mutual trust and an effective plan for building cyber-resilience. Unfortunately, new Trend Micro research reveals how far this is from reality in many companies – with both sides partially to blame.
A plan for today, and tomorrow
The current threat landscape remains a volatile and innovative place. Trend Micro alone blocked over 161 billion threats for customers in 2023, but some will inevitably bypass current defences and cause mayhem. Threat actors have never had access to such a large pool of hacking know-how and tooling. But it is basic cyber-hygiene mistakes that continue to expose organisations in large numbers. According to Verizon, there was a 180% increase in vulnerability exploitation last year. And non-malicious human error was a fault factor in 68% of breaches over the period.
Against this backdrop, finding a way to improve baseline resilience should be an urgent priority. Yet government figures tell us that cyber-hygiene efforts are stalling. Around a quarter of global organisations don’t restrict admin rights or deploy network firewalls as they should. And only around half (58%) of medium-sized firms currently have a formal cybersecurity strategy in place at all.
It seems that in many organisations, boards still pay only lip-service to cyber. Our research finds that it is still treated as part of IT rather than business risk in a third (34%) of responding organisations. This is despite plenty of regular real-world examples that highlight the possible impact of breaches. Separate research finds that, following a breach, many organisations could experience a decrease in company valuation (16%), as well as more lawsuits (13%), customer churn (10%) and changes in senior leadership (13%).
Eye to eye
It seems that CISOs are not only being ignored in boardroom discussions. They are actively being undermined. Some 79% of those we spoke to say they’ve felt boardroom pressure to downplay the severity of cyber risks facing the organisation. Of these, two-fifths claim it’s because they are seen as being “repetitive” or “nagging”, or viewed as overly negative. A third say they have been dismissed out of hand. This is not the way to build a cyber-resilient organisation.
Things must change, and not only to help reduce the risk of financially and reputationally damaging breaches. The direction of travel among global regulators is to increase transparency and accountability for cyber among business leadership. It’s there in new SEC cybersecurity reporting rules, and it’s there in the EU’s NIS 2 directive – where senior managers are now to be held personally liable for infringements. It’s therefore in the best interests of the board/C-suite to engage more closely with their CISO – and build a more compelling strategy for cyber-risk management.
A single source of truth
How might this work in practice? While board members need to start treating cyber as part of business risk, and to listen more closely to their CISOs, the latter may also need to change. It’s particularly important that they keep any cybersecurity jargon to a minimum, and make cyber strategy more relevant to broader business plans.
They should consider the following:
- Using no-nonsense language, free from acronyms and jargon
- Alignment of the cyber security programme with business objective
- Focusing on clear risks and using relevant data/metrics/dashboards to back their arguments
- Reporting little and often to the board – as the risk landscape changes
- Putting time in to build personal relationships with board members
Executive dashboard functionality in Trend Vision One is an ideal way to support these closer CISO-board engagements. By serving up compelling evidence from a “single-source-of-truth” platform, CISOs can bolster their arguments and point out exactly where on the digital attack surface the organisation must invest next.
The good news is that when board members are engaged, they’re likely to ask tougher questions of their CISOs and join the dots more easily between cyber and business risk. It could help to prompt more long-term strategic investments in cybersecurity, rather than the piecemeal, reactionary spend that often leads to a surfeit of point solutions. A single source of truth from a single, unified platform to tackle risk across the entire corporate attack surface. That’s where the smart money is heading today.