CISO proactivity can make all the difference during a board meeting. Executives combatting resource constraints are demanding more information and asking more questions about the cyber risks facing their companies.
It’s not in the job description, but it’s crucial to your success
Leading your board to ask the right questions about cybersecurity might not have made the requirements on your job description but providing executives with relevant and actionable information supports effective IT oversight and governance.
Given that a mere 15% of public-company directors claim to be very satisfied with the quality of cybersecurity-related information they are provided, CISOs face wide open opportunities to bridge the communication gap and give leadership exactly what they requested.
How important is cybersecurity to your board?
According to recent reporting, less than half of the organizations surveyed believed their board and executive management had an adequate understanding of cybersecurity to evaluate cyber risks and control measures.
- In 2021 the Center for Audit Quality (CAQ) reported only 34% of S&P 500 companies have a board member who could be considered a cyber expert
- That number decreases to 22% for mid-cap companies.
Explain the what and why to executives
Even if most boards aren’t filled with cybersecurity experts today, evidence suggests leaders are eager to learn.
- According to the National Association of Corporate Directors (NACD), in 2012 fewer than 40% of boards surveyed regularly received any kind of reporting on cybersecurity risks.
- A similar 2020 study from the NACD reported 79% of public-company directors believe their board’s understanding of cybersecurity risks has significantly improved in the last two years.
Explaining the what and why behind cybersecurity business measures bolsters executive trust and board presentation success. As the executive responsible for managing cybersecurity in your organization, it is important for you to expose your board to the security team while grounding them in your business’ relevant threat landscape.
Schedule time face to face
Getting face time with your full board of directors outside of the regularly scheduled meetings (e.g., end of year, end of quarter) for additional education and context-setting can be challenging. We encourage our clients to recommend establishing a cyber risk-focused discussion or working group or sub-committee of the board that meets on a quarterly basis, facilitating deeper conversations on the topic of cyber risks.
Spend time in the numbers, outlining how cybersecurity implemented enables the business’ bottom line. Attention to details like protecting critical operations and securing supply chains shows your department takes an active responsibility in the organization’s success.
Schedule a tabletop exercise and invite pivotal leaders to observe. Witnessing a simulated incident response scenario can highlight the capabilities and processes your team developed and give leaders a glimpse into IT’s daily complexity. Taking advantage of additional opportunities to educate your board members pays dividends and supports future executive buy-in.
Enabling people-first technology adaptation
Ascent’s Business Change Enablement practices equips IT leadership for board discussions and advises on the quickest path to fulfilling cybersecurity goals. We’re people-first. Our consultants search for the best intuitive and technical solutions for your organization. Interested in partnering with Ascent’s Advisory services? Reach out to email@example.com.