“Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO.” — Fast Company

The relationship between the chief information security officer (CISO) and the board of directors is a topic that has received increased visibility in the past few years. The 2017 edition of the “Director’s Handbook on Cyber-Risk Oversight,” published by the National Association of Corporate Directors (NACD), is full of insights on the CISO-board relationship and provides updated recommendations for board directors to follow regarding oversight of cyber risks.

Five Ways to Encourage CISO-Board Engagement

Among the new elements are several appendices that offer valuable advice in areas of critical importance, including:

  • Cybersecurity Considerations During M&A Phases (Appendix B);
  • Board-Level Cybersecurity Metrics (Appendix E); and
  • Building a Relationship With the CISO (Appendix I).

We will focus on the last point, the CISO-board relationship. Appendix I of the NACD handbook provides fresh questions for boards to consider with respect to their CISOs. Below are five ways boards can build and enhance their relationships with CISOs.

1. Seek to Understand the Mandate and Role of the CISO

The positioning of the CISO greatly impacts the his or her ability to achieve the visibility and influence required to appropriately manage cybersecurity and cyber risks. From an organizational perspective, it is key for the CISO to have the ear and the attention of senior management and the board, have engaged conversations around cyber risks and ensure that these are integrated into the enterprise risk management (ERM) program.

Boards should pay special attention to where the CISO is positioned on the organizational chart, who controls the CISO’s budget, and the extent to which security projects might have to be cut due to budget or, in light of the current skills gap, staffing issues.

In addition, boards should review the frequency and quality of interactions between the CISO and other C-level executives. A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives From the Boardroom and C-Suite,” brought to light the disconnect between CISOs and chief information officers (CIOs) and the rest of the C-suite when it comes to security.

To ensure that top management is appropriately engaged in cybersecurity, the report drew the following recommendations:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.
  • Enforce security standards across both IT infrastructure and business processes.

2. Get to Know the Security Team Before an Incident

Boards are urged not to wait until a security incident has occurred to start familiarizing themselves with the security team. This is especially important because few CISOs — just 18 percent, according to the Deloitte Review — come from a management background or have as much experience as the rest of the board and C-suite.

Since much of the CISO’s role is to build and manage the trust that the organization’s leadership and customers rightfully expect, boards should engage early and often with the CISO’s team to establish and reinforce this sense of trust. Such interactions will also provide the CISO with the opportunity to determine the level of background knowledge board directors have about cybersecurity. For some, interactions may need to start at a basic level, such as with tablets and smartphones, and cover the risks inherent in all technologies.

3. Review the CISO’s Network of Influence

The IBM IBV study revealed that it is critical for CISOs to have appropriate, quality interactions with the rest of the C-suite. When it comes to internal visibility and influence, they cannot afford to be siloed in an IT-centric role. The CISO needs to be an active participant in all aspects of the organization, including business development, supply chain and third-party vendors, and engage with the legal, internal audit and human resource departments to ensure adequate employee onboarding and offboarding practices.

Beyond the confines of the organization, boards should also review the level of participation in information sharing activities such as public-private partnerships, other channels in which peer organizations share cyberthreats and indicators, and relationships with relevant law enforcement agencies.

4. Assess the CISO’s Performance and the Organization’s Security Posture

In less than a decade, cyber risks have become a key issue for boards and top management. While some organizations had the foresight to create a CISO position early on, those positions might not currently be staffed by the right person for the job. Instead of having an IT-centric perspective, this security leader should approach security issues in terms of cyber risks and their impact on the organization’s ability to achieve its business objectives.

CISOs must become strategic advisers to their organizations, top executives and boards of directors, and they have to communicate frequently and effectively. This comes easily — almost innately, to some CISOs. Others struggle to communicate, due either to unfamiliarity with the territory or an organizational culture that still views the role as a limited, narrow position.

The NACD handbook urged boards to ensure that the metrics to evaluate the organization are appropriate. And since the language of the board is risk, boards should confirm that the organization has deployed a sound, risk-based approach to evaluating, reporting and managing cybersecurity, ensuring adequate protection for its most valuable assets.

In addition, boards are under increased pressure adopt one of the standard frameworks, such as the NIST Cybersecurity Framework (CSF) or a risk management standard from the International Organization for Standardization (ISO).

5. Actively Review the Cybersecurity State of the Organization

Board directors must have frequent discussions and continuously review the state of cybersecurity within the organization. Together with the CISO, boards should discuss lessons learned from recent incidents to fill any gaps and ensure that appropriate lessons are drawn and incorporated into incident response practices.

From a planning and oversight perspective, boards need to make sure that the organization is making adequate progress in shoring up its most critical cyber risks, leveraging internal audits and external penetration tests, and conducting red team exercises. For areas in which gaps remain, the board should take an active role in reviewing management’s plans and ensuring that appropriate resources have been provisioned.

The Future Depends on the CISO

A breach at any point in the organization’s systems can lead to a massive compromise of the entire network and, possibly, all the organization’s data. Given that cyber risks don’t respect the functional boundaries of the organization, the CISO-board relationship is one of the most critical dynamics in business today. The organization’s future depends on it.

For more insights from Chris Veltsos, listen to the podcast: Directors Are From Mars, CISOs Are From Venus

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…