Corporate boards are adjusting to the new reality of business by treating cyber risk as a business factor to be considered equally and thoughtfully along with other, more traditional risks. While still in the early stages of adoption, today’s boards acknowledge information security’s role in business continuity and are shifting perspectives.
This creates an opportunity for boards to leverage their governance role to establish new leadership coalitions on cybersecurity at their organizations. Accordingly, the report prepared by Mass Insight for the ACSC, “Leveraging Board Governance for Cybersecurity,” recommends that boards “build confidence in cyber operations and frame strategic discussions around key risk issues and questions.”
In a survey conducted for the research study, 64% of respondents, holding either a CISO or CIO role, said that their boards are in the “early or maturing stage” of being able to govern cybersecurity at their organizations, while 21% said their boards had full partnership on cybersecurity responsibilities. The report defines “early stage” as “the board is largely listening and learning from our briefings and will move towards a maturing partnership in the next year.”
The opportunity for the board to lead cyber decisions in an organization is one of five key findings of the research. “Organizations are developing a better understanding of cyber risk and how it aligns with business and mission requirements, with CISOs developing new approaches for communicating with their leadership team peers,” said ACSC Executive Director Michael Figueroa. “That said, I continue to hear from CIOs and CISOs that the relationships between business leaders and security executives continues to be tenuous, aligned more with technical delivery than with business risks. We intend to continue studying other perspectives on those relationships to help build more effective communications practices and will convene our new CISO Roundtable series, a quarterly meeting of ACSC member executives, to operationalize those practices.”
Modern cybersecurity is a function of cyber risk mitigation and an organization’s risk appetite. As with other business functions, effective security practices are based on recognizing security executives as business leaders that must forge partnerships across the leadership team. Boards can help by acknowledging the critical role cybersecurity plays in all business functions and driving non-security leaders to account for cyber risk in their strategic business planning.