EY Global Board Risk Survey
20%of boards are extremely confident in their organizations’ cyber-attack mitigation measures.
The inability of the security team and leadership team to communicate effectively about the importance and value of security, coupled with a relationship deficit, helps explain the widespread failure to involve cybersecurity at the earliest stage of designing new, technology-enabled business initiatives. As any security professional will attest to, failing to design security and resilience inside initiatives from the beginning, as one would design safety equipment into a car before putting it on the road, is a recipe for failure.
In this context, the disconnect between cybersecurity teams and senior business leaders has the potential to be highly damaging. Many boards and C-suites do not fully appreciate the value of their cybersecurity programs or have not studied their needs in detail. Most importantly, they fail to see security as a strategic requirement which must be considered during the planning stages of any new initiative. CISOs who fail to build stronger relationships with their boards and C-suite partners will, therefore, continue to struggle in the role of “firefighter,” as opposed to strategic advisor who can help business leaders make important decisions about risk trade-offs.
A new role for the CISO?
How can the cybersecurity function address these issues? One challenge will be to set out in more detail the value it generates. For example, only 7% of companies are confident that they can quantify, in financial terms, the impact of a cybersecurity breach.
Raising the profile of cybersecurity issues at board level is also crucial. Almost a third of companies (32%) say that cybersecurity is a board agenda item only annually – or never. And at many companies, the issue makes it on to the agenda on only an ad hoc basis.
These data show that CISOs need to rethink their roles as they seek to protect their organizations from cybersecurity risk. While they will continue to need strong technical skills and expertise, their ability to forge stronger relationships at board level and with other functions is becoming more and more important.
Organizations in every industry are now confronted by the challenges of disruption and the rapid emergence of significant opportunities, and it is their CISOs that have an unparalleled opportunity to become agents of change. Those CISOs that raise their profiles, cement their position at the center of the enterprise and offer pre-emptive ways to mitigate risk will become key enablers of strategic transformation.
Summary
New EY research suggests not all company boards or C-suites understand the cyber risks their businesses face – as a result, many are failing to confront this issue. CISOs share the responsibility: they may now need to rethink their roles in order to tackle this issue.