There is no doubt most members of a board of directors will shiver when told their organization has been the victim of a data breach. Ordinarily, however, they shouldn’t collapse. A well-briefed board should understand a network breach is unavoidable for any enterprise, so what matters is whether the organization is prepared.
It’s the responsibility of the CISO to prepare the board for that inevitability. But do boards want to hear the message? Columnist George Hulme argues that a recent PriceWaterhouseCoopers survey on the state of U.S. cybersecurity suggests there are three types of organizations when it comes to board awareness: horrendous, adequate, and excellent. Nearly a third of respondents said their security leaders make no presentations at all to the board, while 26 per cent of CISOs, or their organization’s equivalent, provides an annual presentation to their board of directors.
Only about 30 per cent of respondents said their senior security executives give quarterly cybersecurity presentations.
One-third of survey respondents at small enterprises reported that they don’t ever advise the board on cybersecurity efforts. Perhaps that’s understandable since smaller organizations don’t see themselves as having large repositories of personal or financial data (a bad assumption). Still, Hulme says, a “shockingly high” 18 per cent of security leaders at larger enterprises don’t talk to their boards either.
“While business leaders talk about how important cybersecurity is,” Hulme writes, “security laments that it’s not getting the tools and the resources needed to adequately secure the organization.”
What should the CISO do? Earlier this year I interviewed Forrester Research analyst Martin Whitworth (see the link above to CISOs are ‘ignoring the writing on the wall,’) who told me security leaders have to work at cultivating board contacts to make sure their voices are heard, and to make sure they talk the language of business risk.
But, as Greg Thompson, Scotiabank’s vice-president of IT risk told a Toronto conference earlier this year, that doesn’t mean they should make their messages simple. “We’re at the point now in cybersecurity where we should not be dumbing down our message,” he said. “We should not be talking in a language the business understands. The business needs to understand our language. Boards of directors need to understand our language.”
Clearly CISOs still have some work to do to make sure their messages are heard at the board level — before there’s knashing of teeth.