Connect with us

Hi, what are you looking for?


Management & Strategy

Let’s Close the Cybersecurity Knowledge Gap in the Boardroom

As senior executives embrace digital transformation to move their business forward, cyber risk and security are a high priority. According to Aon’s 2017 Global Risk Management Survey, cyber risk is one of the top 10 business risks globally and number one in North America. Unfortunately, many executives lack the information or knowledge they need to mitigate cyber risk.

As senior executives embrace digital transformation to move their business forward, cyber risk and security are a high priority. According to Aon’s 2017 Global Risk Management Survey, cyber risk is one of the top 10 business risks globally and number one in North America. Unfortunately, many executives lack the information or knowledge they need to mitigate cyber risk. The National Association of Corporate Directors’ (NACD) 2016–2017 Public Company Governance Survey finds that almost one-quarter of boards are dissatisfied with the reporting that management delivers on cybersecurity. At the same time, the report finds that only 14 percent of the respondents feel that their board has a high level of understanding about cyber risks. 

If boards don’t understand cybersecurity, how can they govern cyber risk as they evolve their business through digital transformation? Using technology to build new business models, processes, software, and systems to increase efficiency, revenue, and margins helps to create a competitive advantage and disrupt markets. Think about companies like Amazon, Airbnb, and Square. But success depends on laying a strong cybersecurity foundation. 

This changes the role of the CISO in the boardroom. They are not only reporting out on questions of risk, but having to be an educator as well. I recently discussed how the role of CISOs is evolving beyond the traditional operational functions of preventing, monitoring, and responding to cyber attacks. CISOs and IT leaders are being asked questions about risk management they have never been asked before. For example: Are threat actors bypassing our defenses? What is our applicable risk? What kind of impact can they have? This shift presents an opportunity for security and IT executives to take a stronger leadership role and become a strategic voice in long-term security planning.

As a CISO or IT leader, there are four steps you can take to boost your effectiveness when you meet with your board and senior executives and help drive secure digital transformation. 

1. Understand your board’s appetite for risk and get involved in risk management

You need to invest in understanding business risk management so that you can effectively speak about risk in business terms and start to bridge the cybersecurity knowledge gap with enterprise leaders. To do this you must: 

• Understand the goals, philosophy, and policy of the business with respect to risk and risk management. 

• Demonstrate knowledge of the digital assets and business processes, including ownership, importance, business risks, and current mitigations. 

Advertisement. Scroll to continue reading.

• Take part in the enterprise and IT security risk management functions, and know all the stakeholders. 

• Actively engage senior leaders in discussion of how cybersecurity can support existing business activity and spur new business initiatives. 

2. Build a risk profile focused on protecting your enterprise’s most critical assets

Boards are responsible for governing risks. A risk profile informs them about cybersecurity risk in terms they understand so that they can determine the proper level of effort and investment needed to secure the company’s assets. As you build the risk profile, involve a wide variety of organizational stakeholders, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and the Information Risk Management Security (IRMS) team. Focus on the three risk areas within IT security: 1) IT infrastructure, including hardware, software, applications, and IoT devices; 2) connections to partners, vendors, and customers; and 3) people’s actions and awareness when interacting with systems. Look at each of these areas through the lens of what matters most to the business and what threats could result. For example, manufacturers typically have a low tolerance for risks from threats to production lines, while healthcare facilities are most concerned about risks that threaten patient monitoring systems, infusion systems, and patient records.

3. Measure cyber risk and establish real metrics

Here’s where the rubber meets the road. Measurement is crucial to understanding real risk and being able to show and talk about continuous improvement. You need to translate internal IT focused metrics into metrics the board can use to make decisions and act. To be most effective, these metrics should measure risk and cyber resilience in terms that are straightforward, can be baselined, show trends, and point to what a good outcome looks like. Board metrics may include risk statistics (e.g., an increase or decrease in industry threats, types of threats, policy exception, and security staffing or budget) and threat mitigation statistics (e.g., time to detect, contain, patch, and remediate; length of system outage; percentage of systems impacted; and type and number of systems affected). 

4. Demonstrate effective cyber resilience and continuous improvement

You’re now in a position to demonstrate the ongoing stability, availability, confidentiality, and integrity of your enterprise information infrastructure. To communicate effectively with your board, focus your discussion on four broad topics: 1) recommended technologies and services that help ensure ongoing cyber resilience; 2) your approach to continuous improvement; 3) a review of metrics with the purpose of identifying and eliminating any that are less useful and adding new metrics over time; and 4) the business value of security, both in terms of return on investment (ROI) on security expenditures and as an enabler for new business initiatives. 

As the IT industry, compliance and legal requirements, threat actors, and your business model evolve, you must continuously revisit these four steps to ensure you remain focused on protecting your enterprise’s most critical assets. In so doing, you can have a business-oriented, forward-looking conversation with your board and business leaders, one that creates a deeper understanding of cyber risks and demonstrates how an effective cybersecurity strategy is essential for digital transformation. Closing the cybersecurity knowledge gap can provoke real, long-term change, and create a new perspective that not only protects customers and revenue, but also lifts-up your organization as a leader in its industry.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem