Once you have successfully secured additional time with your directors, the next question is what to discuss with them. We recommend our clients focus on several core tenants of effective cybersecurity. Many of these may seem obvious to CISOs and other cybersecurity leaders but it’s critical to establish measurements with your board about what effective cybersecurity means to your organization.
1: Cybersecurity is a shared responsibility across the business and buy-in starts from the top
The interconnectedness of enterprise networks and the speed of many malicious cyber exploits means a compromise anywhere across the network can have disastrous impacts everywhere. Executive support of the cybersecurity team and your initiatives is critical, ensuring your colleagues across the business understand and follow guidelines limiting your cyber risk.
Listen: How to create a culture built for change
2: Cybersecurity investments should reduce demonstrated risk
It’s becoming more important to demonstrate how your cybersecurity priorities are linked to the business strategy. According to a recent Gartner study, 30% of large businesses surveyed indicated that the primary objective of their cybersecurity spend is to improve operational efficiency and/or productivity.
Boards are less concerned about cybersecurity for their own sake and fewer companies are investing in cybersecurity tools and programs as additional insurance against threats. Business leaders are tightly coupling cybersecurity investments to particular business objectives, and they are measuring those outcomes to prioritize additional spending.
Listen: How to map business outcomes to cyber priority
3: Managing cybersecurity risk is a part of enterprise risk management
As boards are becoming more interested in cybersecurity, CISOs should continue to reframe cyber risk through the lens of enterprise risk. Cyber risks are not exclusively technical – they pervade the organization and can impact operations at every level. The Cybersecurity & Infrastructure Security Agency (CISA) encourages organizations to approach cyber risks with a common language and equal priority to other risk areas such as financial and reputational risk.
Listen: How to address threats probable to your business
4: Cybersecurity awareness is crucial to risk mitigation
People are the first and best line of defense for your organization, so it is important to equip them with relevant and engaging awareness and training materials. Given that approximately 88% of all data breaches are caused by user error, the best way to bring that number down is to redirect user behavior. The more knowledge your users have, and the fewer opportunities they have to make a mistake, the less likely they are to put your organization at risk.
Listen: How to protect against insider threats
5: No business, application, or system is 100% secure
If your board of directors asks you the question, “Are we secure?” that should be a clear signal to you that they need additional education on the realities of cyber risks and the vulnerabilities present in every connected system.
Threat actors are highly motivated to continually seek out novel exploitable vulnerabilities and the steady roll out of zero-day attacks shows no sign of slowing. A CISO should never be responsible for guaranteeing 100% security. Rather, they should be working across the organization to bring the level of cyber risk within tolerance in support of business objectives.
Listen: How to address cybersecurity misconceptions
Enabling people-first technology adaptation
Ascent’s Business Change Enablement practices equips IT leadership for board discussions and advises on the quickest path to fulfilling cybersecurity goals. We’re people-first. Our consultants search for the best intuitive and technical solutions for your organization. Interested in partnering with Ascent’s Advisory services? Reach out to firstname.lastname@example.org.