CISO and Director Perceptions of Each Other, and Themselves, Diverge
Few board-level topics have been as noteworthy or confusing in recent years as cyber risk, and with it, the changing role of chief information security officers (CISOs).
A pair of interesting studies released in recent months, Optiv Security’s The State of the CISO and NACD’s 2019-2020 Public Company Governance Survey, provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity, and perhaps even more interestingly, how they view their work relative to how others perceive their roles.
Boards and CISOs Are Better Aligned
The stereotypical storyline of the board-CISO relationship goes a little like this: CISOs have trouble communicating with boards due to the difficulty of connecting cybersecurity programs to business value. As a result, directors think of CISOs as technical personnel rather than true C-level executives, and CISOs think board members just don’t get cybersecurity.
However, Optiv’s recent report, which surveyed 100 CISOs from the United States and another 100 from the United Kingdom, indicates that this gap in perception is narrowing considerably. Ninety-six percent of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86 percent said they are getting more funding for their programs because of this improved understanding.
Similarly, NACD’s most recent survey of directors found that 79.3 percent of board members believe their board’s understanding of cyber risk has significantly improved compared to two years ago. Only 8.7 percent indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.
There’s Still Room for Improvement
While the communication gap between CISOs and board members appears to be narrowing, there is still a bit of a chasm when it comes to business priorities. According to the Optiv survey, 76 percent of CISOs feel that cybersecurity has become so important in their organizations that “CEO tracks” for CISOs will start to emerge. Seventy percent of US respondents and 64 percent of UK respondents said that executive leadership at their company ranks cybersecurity as their top enterprise concern, even if it slows down business.
But NACD’s survey shows that directors are not quite on the same page when it comes to business priorities. Only 28 percent of responding directors said they prioritize security above all else, even if it slows down business, and 61 percent said that cybersecurity should not be prioritized above overall business velocity. While these numbers undoubtedly would have been far lower just a few years ago (before directors began scaling the cybersecurity learning curve), they indicate that CISOs may be a bit optimistic in their view of how boards prioritize cybersecurity.
Breach Experience Is a Resume-Builder
Perhaps the most interesting finding across the two surveys is how CISOs and boards view CISO breach experience. It was not long ago that a breach hitting the headlines was a career-limiting event for CISOs. Today, there is a greater understanding from boards that breaches are often unavoidable, and it is the response to a breach that is the true measure of a CISO’s performance.
In Optiv’s survey, 58 percent of CISOs indicated that having breach experience on their resume increases their chances of being considered for other CISO roles. This is a far cry from just a few years ago, when a data breach was a “scarlet letter” on CISO careers, and indicates a significant shift in how senior executives and boards view CISOs and data breaches.
However, NACD’s survey validates that CISOs are actually underestimating the value of breach experience on their career paths compared to how directors view such skills. Ninety-two percent of directors surveyed said that experiencing a breach makes a CISO candidate more attractivebecause they have expertise in helping companies respond and recover from a breach incident.
The Relationship Continues to Evolve
These are only a few data points on the complicated relationship between CISOs and their boards. However, the Optiv and NACD surveys do reveal several important trends:
Cyber risk has become important enough that cybersecurity is a board-level business priority.
Directors are educating themselves on cybersecurity and have a much better understanding of the risks and security technology than they did just a few years ago.
CISOs are emerging from the old perception of being “technical personnel” to becoming legitimate C-level executives. The perceptions around breach experience speak to this: there’s now an understanding that no organization can stop all breaches, and the most important thing is to have an experienced hand guiding breach response and recovery efforts.
The cyber risk landscape is constantly evolving, and so shall the relationship between CISOs and boards. It will be interesting to watch how things progress in the years to come.
Mark Adams is the senior practice director of risk transformation at Optiv.