A value-focused mindset around value creation and transformation — not just value protection and recovery — will resolve some of the difficulties that CISOs run into when engaging with their boards. Just 42% of European respondents believe their board and executive management team always fully understands the value and needs of the cybersecurity team function; 64% believe that when they make the case for increased funding, the board may have trouble understanding their arguments.
But regulation, security and resilience are only part of the conversation. “Your CISO should be your partner, not a compliance exercise, and while that cultural shift is happening in some organizations, it is happening very slowly,” says Kanika Seth.
The result is that the cybersecurity function is not getting involved as much as it should be in transformation. In this year’s GISS, 24% of European respondents say the board regularly makes decisions on cybersecurity without having the technical understanding to fully understand the threat; and 32% warn that their cybersecurity teams are frequently not consulted or are consulted too late when urgent strategic decisions must be made.
Resetting the partnership between the board, the wider business and cybersecurity is crucial and increasingly urgent. “The CISO role can evolve into one that is no longer regarded as hindering new business but is seen as an enabler, as cybersecurity is adding confidence to innovation. This supports the organization to engage in business improvement,” says Bodo Meseke. CISOs therefore must:
- Ensure their boards understand their role in setting cybersecurity in the broadest sense.
- Reach consensus on cultural shifts such as security by design and, in the context of flexible and remote working, zero trust.
- Build a business value case for cybersecurity budget and resourcing1.
- Run boardroom pilot risk exercises, alongside the CIO; these exercises might stimulate a cybersecurity breach or other incident, to illustrate the risk and demonstrate the plans in place to manage it2.
Prepare for growth
The evidence of this year’s GISS is that CISOs across Europe face a dilemma: they must cope with a regulatory environment that is fragmenting fast, while working with boards that do not see compliance as a justification for writing ever larger checks. To square the circle, will require the cybersecurity function to think about how to play its part in business growth.
This will require CISOs to build much stronger relationships with other business leaders, particularly in areas such as product development, sales and marketing. Right now, only 24% of European respondents characterize their relationship with marketing as very positive, with 40% regarding it as negative.
CISOs have made much more progress with colleagues such as the chief risk officer and the chief financial officer, with 63% and 41% of European respondents pointing to relationships of high trust and consultation with risk and finance respectively. Now they must reach out to the rest of the enterprise.
Critically, this engagement will help CISOs meet the challenges of localized regulation. The key will be to build operating structures with common standards, which nonetheless mirror the way in which the business has developed.
This is not to understate the scale of the task that lies ahead. With threat levels elevated, CISOs must map the exposures and resilience of their entire ecosystems, build compliant structures that mitigate risk and prepare for response, and focus on enabling growth. This will require cybersecurity to acquire a broader skill set and to consider new leadership structures.
The prize for those CISOs who rise to the challenge is a valuable one. They will not only retain their status as protectors of the organization’s data and security, but also become trusted enablers of value creation and transformation.