Cyber security is now a common topic of boardroom debate. In the KPMG 2021 CEO Outlook Pulse Survey, cyber risk was ranked as the number one organizational threat by global CEOs, with data security taking a priority over all other technology investments.
Senior executives and non-executive directors have become all too aware of the impact of incidents such as data loss, ransomware and fraud, which can bring operations to a standstill and destroy revenue and reputation.
But they also face a dilemma: They want to rapidly digitize the business, but are starting to recognize that moving too fast, without considering security at the design stage, can also bring risks.
As companies become ever more dependent upon digital technology, every business decision has a cyber security dimension. The CISO’s priorities are shifting from firewalls and identity management to major strategic challenges like brand trust, product security, resilient operations, and robust supply chains.
More and more CISOs are getting a direct line to the CEO, but are they really prepared for such an elevated role? As the saying goes: “When you get to the end zone, act like you’ve been there before.” CISOs need to start thinking that they deserve to be members of the C-suite, focusing on problem-solving and becoming business enablers, with a stake in innovation, growth and revenue.
You need a strong CISO who can articulate the total landscape of risk. This requires a real understanding of the organization plus a technical understanding of the cyber landscape. The board discussion is about giving them the confidence that you’re managing risk and moving to a better place.
Speaking the language of business risk and opportunity
Addressing the challenge
In stepping up to a C-suite role, CISOs must acquire new skills and mindsets, to focus less on pure security and compliance, and more on broader business risks and opportunities.
Here to help the business and enable revenue
Today’s businesses must be fast to market, yet avoid releasing products and services with cyber vulnerabilities. There will always be occasions when CISOs need to apply the brakes, but, by getting involved at the earliest stage of new product development, they can embed security by design and reinvent themselves as business enablers who ultimately help the company go faster, more safely, preserving digital trust.
A common view of risk
In the words of Leon Chang, Head, Cyber Defence Group, IHiS, “CISOs that go to board meetings with ill-prepared technical presentations are setting themselves up to fail.” As risk advisors, CISOs should eschew technical detail and speak to the board on its terms, explaining the cyber threat landscape and associated risks to customers, growth, revenue, costs and brand. By using a common language for cyber and operational risk, which resonates with the board, they can frame a constructive debate on cyber security risk — and emphasize the need to embed cyber security in corporate strategy and major investment approvals.
Investing in risk mitigation
According to Palo Alto Networks’ VP and CISO, EMEA, Greg Day, “If you can’t quantify and qualify the scope of the problem, in terms of threat to revenue, it’s hard to get the resources. So, I give my board three solutions: gold, silver and bronze. Gold mitigates a higher proportion of risks but requires a larger investment, and so on. Then the board can make a trade-off.
Influencing rather than enforcing
Influence at board level can often be informal, a result of relationships forged with multiple stakeholders. In navigating the corporate jungle, CISOs need to gain trust, by attending meetings of finance, marketing, operations and other functions, to both learn about business risks and educate about cyber threats. CISOs can also bring compelling individuals in front of the board, from within and outside of the cyber team, with interesting outlooks and insights into risk, to articulate the importance of cyber security. In this new, C-suite world, it’s all about influence, as Greg Day, VP and CISO, Europe, Middle East and Africa, Palo Alto Networks, puts it: “A CISO is not a great CISO because of a huge budget and massive team. It’s because they’ve empowered the business around them to go ahead and be successful.”
Working in the gray zone
The elevation of the CISO role into the C-suite is good news for everyone involved in cyber security, but CISOs must prove they’re up to the task. CISOs should articulate to the board and executives how cyber security plays into all decisions, to reduce risk and improve business outcomes — it’s not just about fear. Integrating into corporate strategy involves a more holistic approach to business, moving out of the technological comfort zone and becoming storytellers. CISOs should also avoid being reactively driven by regulatory compliance, and recognize the benefits of leading the security debate and anticipating the regulatory drivers.
The real advantage of going to the cloud won’t come from cost savings, but from speed to market, innovation, scaling up faster… so we must focus on what we can do to enable the business to move faster, safely, securely and responsibly.
Working in the gray zone of corporate politics may prove especially challenging for the many CISOs from technical backgrounds. Every organization will get hacked at some point, so the CISO has to demystify cyber security by explaining what an incident could cost the business, and the degree to which investment in cyber security can reduce risk and accelerate recovery. CISOs can bring unique perspectives and insights into the modus operandi of criminals or malicious attackers. Most mature organizations will have well-established enterprise risk management systems, and the CISO should seek to embed cyber security into these.
Managing expectations is another tricky balancing act. Sales and marketing executives want to swiftly launch and enhance new products and services, operations need to run 24/7, while customers expect their data to be secure. By working with CIOs and their DevOps teams, CISOs can help others become heroes, embedding cyber security and making full use of automation, enabling new revenue streams, keeping the lights on, and enhancing trust in the organization.
The objective of bringing a cyber person to the board is not to let others relax when the subject of cyber comes up, but to lift the understanding and capability of everyone else, which transforms the quality of discussion.