Getting the board on board with cyber

Participants in our “Who Secures Europe” research project shared their thoughts on the board’s appreciation for CISOs’ perspectives on risk, and on the adequacy of board-level support for the company’s infosec team.

More than half of our participants responded positively, which is encouraging. However, for both questions the proportion who were fully confident is low (hopefully reflecting caution on the CISO’s part more than apathy on the board’s), and more than a quarter were dissatisfied.

Though the two charts are very similar, where there are differences participants seem more optimistic about ‘appreciation’ than they are about how much support it earns them.

The sector where the discrepancy between appreciation for risk knowledge and adequacy of support was most significant was government. Only 29% of these participants said that CISOs’ risk knowledge went unappreciated, but 63% said that the level of support their cybersecurity team received was insufficient.

However, that doesn’t necessarily mean that CISOs are overestimating just how seriously they’re taken, or that they’re not advocating effectively enough for the importance of information security. It’s more likely just the nature of business. The board may well be conscious of cyber risk and its potential business impact, but it’s still just one of many operational risks a business faces, and for many, it’s unlikely to be an existential threat. With other risks to think about (a recent study found that companies’ top concerns were talent management and economic uncertainty), the considerable resources which would be required to satisfy a cybersecurity team’s every desire simply may not be available.

The CISO may well come to the same conclusion – it’s fair to assume they’ll do their best to win investment for their department, but their honest recommendation may be that past a certain point, the cost of implementing higher levels of security would be disproportionate to the probability and potential impact of an incident.

Additional complicating factors include:

  • these responses rely on perception; this is still valuable information, but it’s not a given that those perceptions will be accurate.
  • CISOs made up a substantial proportion of our participants, but not all. Participants were all information security stakeholders and as such their perspective is still valuable, but those in roles such as Head of Audit or IT Architect may not be privy to the CISO’s relationship with the board.
  • the extent of the CISO’s strategic knowledge of operational risk, and of their business, will inevitably vary from organisation to organisation. Contributions to risk discussions made by a CISO whose extensive knowledge of operational risk management is only partially appreciated may still have more impact than those made by a CISO whose limited knowledge is fully appreciated.

Even keeping all this in mind, some interesting trends can be seen.

The following chart compares participants’ answers to each question across all industries, allowing us to see where the discrepancy is arising:

Only 28% of participants who said the board fully appreciated CISOs’ risk knowledge also said that the board-level support the cybersecurity team received was completely sufficient. As discussed above, that doesn’t necessarily mean these participants were overestimating how much the board values their input – but it’s still a low percentage.

The other big difference is among participants who were neutral or unsure regarding board-level appreciation for CISOs’ risk knowledge: the majority seemed to feel on firmer ground (for better or worse) with the level of the support they received. Job title didn’t affect responses dramatically, and many of the participants who were ‘unsure’ about board-level appreciation were CISOs themselves.

If a CISO is ‘unsure’ whether their risk knowledge is appreciated, the odds are low that they’re having engaged, in-depth discussions with the board about cyber risk. Overall, 43% of participants were unsure or pessimistic about the extent to which CISOs’ risk knowledge is appreciated – a statistic which doesn’t inspire confidence in the company’s level of infosec maturity. It doesn’t necessarily translate to a lack of interest or investment from the board, but CISOs who can communicate the importance of their function to the company’s overall risk profile will have an easier time driving that investment themselves, rather than depending on the board or other functions.

But what do appreciation and support mean in practice? There’s no straightforward metric for this, but we did ask participants about the size of their company’s information security team, and their priorities in a solutions provider.

Participants who answered positively to these questions typically – though not always – had the largest information security teams, whereas those who felt support levels and appreciation for the CISO’s risk knowledge were inadequate mostly had small teams, with more than half reporting teams of two members or fewer.

Those who felt that board support was inadequate were particularly likely to prioritise affordability when choosing a solution (approximately 1/3 said it was in their top 3 priorities), while the importance placed on this dropped as participants reported higher levels of confidence. 

Looking at how results vary across the industries represented among our participants, it’s unsurprising to see that participants from the banking and finance sector were among the most confident in responses to both questions, though in both cases first place goes to the telecoms industry:

There was a little more competition, so to speak, for last place. The legal sector had the highest proportion of participants who were entirely pessimistic about their level of support, but otherwise was reasonably confident. Participants working in education were the most likely to report an unappreciated CISO or an unsupported team, with the logistics industry not far behind them. And as mentioned, government employees were somewhat unusual in the significant disparity they reported between the board’s appreciation for risk knowledge and the level of support this resulted in.

Overall, the results are fairly in line with what one would expect. For the most part, there is a strong positive relationship between boards’ willingness to engage with the CISO regarding operational risk, and the level of support the cybersecurity team receives, although it’s not necessarily a causal relationship. Highly regulated industries such as telecoms and finance report the greatest degree of board-level investment, and that’s reflected in the size of their information security teams and the resources they’re able to devote to software solutions as well.

If CISOs in other sectors hope to earn similar levels of buy-in, making the board understand the relevance of cybersecurity to overall operational risk in terms they can engage with (i.e. $$$) will be key. Or failing that, get some regulation passed, and make sure the regulators have plenty of teeth.

Researcher, writer, recovering medievalist. Currently particularly interested in the cybersecurity solutions market, cyber insurance/risk modelling, and IoT security.

Related posts

Your thoughts