Are boards deaf to CISOs, or do they just not care?

There is no doubt most members of a board of directors will shiver when told their organization has been the victim of a data breach. Ordinarily, however, they shouldn’t collapse. A well-briefed board should understand a network breach is unavoidable for any enterprise, so what matters is whether the organization is prepared.

It’s the responsibility of the CISO to prepare the board for that inevitability. But do boards want to hear the message? Columnist George Hulme argues that a recent PriceWaterhouseCoopers survey on the state of U.S. cybersecurity suggests there are three types of organizations when it comes to board awareness: horrendous, adequate, and excellent. Nearly a third of respondents said their security leaders make no presentations at all to the board, while 26 per cent of CISOs, or their organization’s equivalent, provides an annual presentation to their board of directors.

Only about 30 per cent of respondents said their senior security executives give quarterly cybersecurity presentations.

One-third of survey respondents at small enterprises reported that they don’t ever advise the board on cybersecurity efforts. Perhaps that’s understandable since smaller organizations don’t see themselves as having large repositories of personal or financial data (a bad assumption). Still, Hulme says, a “shockingly high” 18 per cent of security leaders at larger enterprises don’t talk to their boards either.

“While business leaders talk about how important cybersecurity is,” Hulme writes, “security laments that it’s not getting the tools and the resources needed to adequately secure the organization.”

What should the CISO do? Earlier this year I interviewed Forrester Research analyst Martin Whitworth (see the link above to CISOs are ‘ignoring the writing on the wall,’) who told me security leaders have to work at cultivating board contacts to make sure their voices are heard, and to make sure they talk the language of business risk.

But, as Greg Thompson, Scotiabank’s vice-president of IT risk told a Toronto conference earlier this year, that doesn’t mean they should make their messages simple. “We’re at the point now in cybersecurity where we should not be dumbing down our message,” he said. “We should not be talking in a language the business understands. The business needs to understand our language. Boards of directors need to understand our language.”

Clearly CISOs still have some work to do to make sure their messages are heard at the board level — before there’s knashing of teeth.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web