Security Experts:

Four Things Your CISO Wants Your Board to Know

For years, it seems like we’ve been rationalizing why your company’s Chief Information Security Officer (CISO) deserves a seat at the boardroom table. In many industries, we’ve come a long way since then. At more and more organizations, CISOs have stepped up and begun conferring regularly with the CFO, CTO, and CEO on security strategy, cyber risk, and how to approach digital transformation.

While the CISO has become an integral part of some executive boards, it hasn’t been the case everywhere. Maybe your CISO-board relationship is broken or there’s a divide between the CISO and the rest of the board. Sometimes, for better or worse, the CISO’s thoughts just fall on deaf ears. 

If that’s the case, to help separate the signal from the noise, here are four things your CISO wants your board to know.

In Order to Adequately Protect an Organization, Your Cybersecurity Budget Should be More Than 1% of Your Overall IT Spend 

It’s been said time and time again: when it comes to cybersecurity, don’t skimp. Global IT spending has risen over the years to keep pace with today’s threats. ISG Research said earlier this summer that cybersecurity spending has nearly doubled year-over-year. As a percentage of total IT spending, it accounted for 4.7 percent in 2020, compared to 2.5 percent in 2019. Organizations should be spending at least that much to ensure they’re prepared to combat the threats of tomorrow.

Failing to properly budget for cybersecurity can lead to a host of problems. Organizations with old and outdated technology risk having weak or inadequate visibility across their environment, something that can leave them blind to threats targeting their data. Not spending enough on cybersecurity professionals, the defenders whose job it is to secure your company and your data, can leave an organization woefully unprepared for the next cyber incident, too.

When a company fails to properly fund their cybersecurity program, it can lead to lapses in judgment, like business decisions being made without considering their impact to IT as well.

It’s Impossible to Provide Metrics on how Many Advanced Persistent Threats You’ve Blocked in the Past Month 

I’ve stressed this for years. One of the most misleading metrics in cybersecurity remains the number of threats your organization has blocked. Sure, it sounds great in theory to say you’ve blocked x number of threats across your perimeter and endpoints, but sometimes metrics can fail to reflect the hard work your team is doing day in, day out.

Focus on metrics that build trust instead of causing confusion. Consider providing details including:

• Cyber threat dwell time – how long was an adversary in your system before you discovered them? 

• Patching and vulnerability metrics – how long did it take for your team to fix an issue or roll out a patch for a vulnerability? 

• For high-risk items, what’s the mean time to closure? 

• How many incidents did your team identify and remedy? 

• And if you’ve recently integrated a new security solution or introduced a cybersecurity initiative – like rolling out multi-factor authentication or a phishing awareness exercise – what was the result?

Building a Culture of Cybersecurity as a Top-down Strategy is Imperative

Sure, getting and maintaining executive buy-in is important but cybersecurity is a team effort. CISOs need to build a culture where all team members understand the importance of your program and their role in cybersecurity. It’s everyone’s responsibility to keep an organization safe. Like any other companywide effort, this can be effective when the messaging comes from the top. 

If you’re overseeing a new security initiative, training must take place continuously – especially when new employees are onboarded to an organization. Your regular risk assessment should be performed along with phishing exercises to ensure employees are staying vigilant and alert. 

It can be a challenge to overcome but your organization needs to move away from the concept of siloed departments. Each part of the organization must feel interwoven with one another, working toward the same goal of protecting your assets.

Align Your Cybersecurity Strategy to an Acceptable Framework that Demonstrates Maturity Over Time 

Just because an organization hires a CISO doesn’t mean it’s secure on day one. Cybersecurity needs nurturing; it can take time to build and develop a robust program.

One of the first steps is ensuring the board understands where the organization is today in terms of control maturity. From there, you can develop a plan to achieve higher levels of maturity over time.

The National Institute of Standards and Technology (NIST) has several frameworks that can assist here. Its Cybersecurity Framework can help organizations improve their posture when it comes to detecting, identifying, responding, recovering from, and protecting against threats. And NIST’s Program Review for Information Security Management Assistance (PRISMA) methodology can help assess an organization’s maturity level, too. 

On a federal level, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework provides for five levels of certification in both cybersecurity practices and processes. Each of these control areas can be directly tied to budget requirements as well. This can help instill confidence in the numbers you present to the board. 

There’s no doubt that there are a lot of things on your CISO’s mind. Whether they have an active role at board meetings or not, chances are these are some of the most pressing items they’d like to discuss with you.

Related CISO Conversations:

● Raytheon and BAE Systems CISOs on Leadership, Future Threats

● Princeton, Cal State and Ohio State CISOs Talk Higher Ed Cybersecurity

● Verizon, AT&T CISOs Talk Communications Sector Security

● Intel, Cisco Security Chiefs Discuss the Making of a Great CISO

view counter
Tim Bandos is the Chief Information Security Officer & VP of Managed Security Services at Digital Guardian with more than 15 years of experience in information technology and securing mission-critical data. Tim joined Digital Guardian in 2016 as VP of Cybersecurity and successfully built the company’s Managed Detection & Response program from ground up. Prior to Digital Guardian, Tim ran a global security team for Dupont company where he was responsible for overseeing internal controls, incident response and threat intelligence.