CISOs must help their boards manage cyber risk — here’s how

In one of the more memorable scenes from the film “Jerry Maguire,” Tom Cruise’s character, a football agent, can be seen pleading with his one client, begging him to just “help me, help you.” Maguire kept repeating the line, hoping to break through to the player, trying to convince him to change his attitude in the hopes it would help him land a big contract from his team.

This scene came to mind recently when I was thinking about the relationship between CISOs and their boards of directors. Cyber attacks on a corporation can exact a high price — in money, reputation, and lost business. CISOs battle day and night to prevent their company from suffering a crippling cyber attack, yet too often they don’t receive the help or support they need to properly execute their roles. As a result, CISOs often can’t get enough money to hire staff and purchase the systems that can prevent cyberattacks, can’t raise consciousness among executives to pay attention to cybersecurity issues, and can’t persuade boards of directors to focus more of their attention on cybersecurity needs.

For CISOs today to be successful, therefore, their responsibilities must not only include building a robust cyber defense strategy on a limited budget but also convincing their corporate boards of directors — the group eventually responsible for their budget — that cybersecurity needs to be a budgeting priority. Yet, according to a report issued by consulting firm EY, the board is not engaged in the cybersecurity debate. In the report, nearly half of CISOs said their board “does not yet have a full understanding of cybersecurity risk,” and that just 54% of organizations regularly schedule cybersecurity as a board agenda item.

Getting the board onboard

How then, can CISOs convince their boards that cybersecurity spending needs to be a priority, and how should they express that need in a way boards can relate to?

The first priority for CISOs to advance their objectives is to ensure that board members understand the business issues — and not just the IT issues — involved in cybersecurity, stressing the damage that a cyber attack can have on an organization. Using real-life case studies at quarterly board meetings will help drive the point home — such as the object lesson furnished by Yahoo’s 2013 data breach, perhaps the most expensive in history. That breach cost Yahoo $50 million in damages, paid to customers whose details were revealed; millions of dollars more in fees for free credit monitoring it agreed to supply victims as part of its settlement; and a $350 million discount in its sale price to Verizon.

However, it is not enough for CISOs to highlight the potential damage a cyber attack can cause. Working with colleagues from across the company, they must also convincingly demonstrate the benefits that a robust cyber program can have for a business, stressing the opportunity to pursue additional revenue streams, target new customers, and upsell to existing clients.

Along with the business aspects of cybersecurity, board members need to both better understand the threats and come to appreciate the steps required to mitigate those threats so they can make informed, strategic decisions for the business. CISO presentations to the board need to include a discussion of the constantly evolving threat landscape, with discussions focused on how hackers choose their victims, how they penetrate networks, which security systems are likely to prevent attacks, and how effective they are.

What the board needs to see

Just as the CEO presents budget and corporate strategy reports to directors, CISOs should present security plans, with details on how security teams plan to defend the company and what they can do to minimize damage if an attack does take place. Once boards understand the technical issues, they will be able to understand the strategies presented to them — and weigh in on whether even more needs to be done.

To further make their case to board members, CISOs should propose a formal governance structure — similar to what the board would use for other business objectives — that will allow for effective reporting and analysis of data. That structure should include periodic audits and reviews, assigning ownership, ensuring that funding is adequate to meet challenges and needs, and developing monitoring mechanisms and accountability systems with measurable KPIs.

Members of a board of directors usually get to that position because of their business acumen. But in today’s cyber-environment, that business experience must be filtered through the lens of the potential impact a cyber event can have on a company. By helping their board of directors have a “cyber-first” mentality, CISOs will help themselves, allowing their company to develop a healthier and more robust cyber posture.

Ronen Lago is CTO at CYE.