In August 2019, the National Association of Corporate Directors (NACD) and Marsh & McLennan Companies (MMC) released a report with foundational advice for board directors to improve their oversight of digital transformation efforts and emerging technologies, such as artificial intelligence (AI), the internet of things (IoT) and robotic process automation (RPA). While aimed at directors, “Governing Digital Transformation and Emerging Technologies” offered several recommendations that chief information security officers (CISOs) can use to improve their organization’s handling of cyber risks and emerging disruptive forces.

Good News, Bad News

The good news is that board directors are aware of the potential impact of many disruptive technologies, with 18 percent pointing to AI, 15 percent to RPA and 10 percent to the IoT as key disrupters over the next five years. Directors are also aware of other potential disrupters, including blockchain, mobile computing, augmented reality and drones. Sixty-six percent of board directors agreed or strongly agreed that their organization was vulnerable to the disruptive impact of emerging technologies in the coming year.

The bad news? The digital economy won’t wait for your organization’s board and leadership to embrace change, and executives know it: Research by Harvard Business Review Analytic Services found that almost half of survey participants reported that “their organization’s traditional business model will be obsolete by 2020.” And, as the NACD/MMC report made clear, boards have a lot of work ahead to improve their understanding and governance of disruptive technologies. The current board governance, management structures and processes work, but primarily for periods of gradual changes in markets and conditions. If organizations are to survive rapid digital transformation, they will need to adopt governance and management strategies that can handle these changes, measured not in decades, but instead in months or, at most, a couple of years.

So, why should CISOs concern themselves with this maelstrom of activity at the top of their organizations? Because CISOs are uniquely positioned to help their organizations plan their digital transformation efforts, test the impacts of those efforts — including impacts on security, privacy and overall cyber resilience — and provide insights to top leadership and the board on the likelihood of success of each of those efforts and how they will impact the digital health of the organization.

To that end, I’ve reorganized the five principles outlined in the NACD/MMC report into three broad areas that are relevant to CISOs.

1. Treat Emerging Technology as Strategically Imperative

The report noted that not everyone means or understands the same thing when they talk about “going digital.” It’s important for the organization to have a clear internal picture of what is meant when those words are uttered. Many of us have seen a simple misunderstanding over terminology turn into a huge disagreement, with all the frustration, stress and inertia that misalignment and mistrust can create. Here the CISO can be part of the conversation, ensuring that new terms are put into proper context when first encountered in the C-suite or the boardroom.

CISOs can also play a key role at the planning stage, making sure organizations don’t fall into what the report called “random acts of digital innovation.” This happens when the organization doesn’t have a strategic road map to discuss, plan and implement various IT innovations. An overemphasis on immediate returns from narrowly focused technology investments can also backfire, creating conditions where the rate of change is prioritized over doing it right and ensuring security and privacy.

Yet readers are also encouraged to adopt a culture of experimentation with rapid feedback and lessons learned to help the organization deliver on its IT innovation projects. Finally, we’re reminded that technology governance is not the same thing as risk governance. Simply having board-level processes in place for risk governance doesn’t mean that the organization has a handle on technology governance — or cyber risk governance for that matter.

The CISO can help the organization recognize and treat emerging technology as a strategic issue. It starts by ensuring that everyone is on the same page when using terms like “going digital,” but also requires appropriate plans and processes to discuss, select and implement those changes. The CISO should take the lead in ensuring that the organization has a road map that places emerging technology in a strategic role, including outlining a path for reviewing and deciding on the best approach.

2. Provide Frequent and Forward-Looking Reports

The study reminded us of the need for clarity in cybersecurity and cyber risk reports. Information overload is a common mistake, where executives and the board are provided with too much information that in actuality provides little insight into how security decisions impact business objectives. Another pitfall is trailing metrics that, at best, focus on the present situation or only focus on past performance or conditions.

CISOs need to ensure that they not only provide the right information in the right way at the right time, but also that their dashboards aren’t received as a mumbo-jumbo of trailing metrics. Board directors not only want to know how well the organization is doing, but they also want to know how well the organization is adapting to technological change and the disruption that comes with it.

But CISOs don’t have to go it alone. They can ask for a board-level or C-level mentor to help them improve the quality of their reporting and communications, even learning what mode of communication is most appropriate to reach each board director. If organizations are to take steps to embrace digital transformation, top leadership and the board must receive forward-looking metrics instead of those that show the breadcrumbs that got them where they are.

3. Culture, Boards and Top Leadership Must Cope With Technological Change

The NACD/MMC report cautioned against boards that have a closed mindset, one in which continuous education isn’t valued and where only certain directors are versed in all things digital. The structure of many boards relegates cyber risk and digital disruption to a few select committees, thereby ensuring that the issues get little attention at the full-board level. The executive team should also embrace digital fluency, leading the way for the rest of the organization to adopt a change-ready culture, one that welcomes innovation instead of fearing it or actively stifling it.

What role can the CISO play in those issues? For one, the CISO should look for opportunities to engage with board directors and share educational tidbits that can be consumed in a matter of minutes, as directors are strapped for time. CISOs can also look at what other organizations — especially those similarly sized and in similar markets — are doing in terms of board governance and director education.

Simply sharing a clipping of competitors that have taken part in a cyber crisis simulation with the CEO and board allies can help gain support for similar activities in the future. However, CISOs should avoid appearing to curry favors in any small-group or one-on-one settings with directors if they want to encourage an open mindset of curiosity and innovation on all things digital.

Focus on the Key Disrupters of AI, RPA and the IoT

Of particular value for CISOs are the sections on the top three disruptive technologies: AI, RPA and the IoT. Each section contains a list of challenges that management and the board should consider, as well as trends and specific advice.

For example, in the case of artificial intelligence, the three key challenges are AI governance (safety, accountability, transparency), the increase in cyber risks posed by AI use (growing attack surface, complexity, data sharing mechanisms) and the labor market disruption it poses. While CISOs can’t do much about labor markets, they do play a leading role in reporting on and managing the cyber risks stemming from AI, and can play an important role in AI governance — either by participating on a governance committee or by educating decision-makers.

CISOs are in the front seat, and their masterful steering is needed to ensure safe digital transformation for their organizations.

More from CISO

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…