Cyber threat is a big grizzly bear—don’t be the enterprise that can’t outrun it!

HFS highlighted in Cyber Security Services: What’s in Store For 2018? that cybersecurity is a business rather than a technical concern. To achieve a capable security posture, you must address the business first; this cannot happen when the chief information security officer (CISO) and the executive board do not engage enough. Here, we outline the barriers to the CISO and the executive board working together and provide recommendations to both parties to improve the situation.

Why the CISO and the Board are rarely on the same page

Table 1 outlines some reasons for the lack of communication between the executive board and security leaders.

Table 1: The disconnect between the CISO and the executive board

_{Source: HFS Research, May 2019}

Increasing interconnectivity and technological development mean enterprises are handling more data. However, unless customers trust you to secure their data, they may not allow you to have it going forward. Every news story about a data breach or data failure hammers another nail in the corporate trust coffin, as no enterprise wants to be the subject of this headline. However, it is more important to be able to communicate a robust and credible story about how you will protect your customers’ data and keep it safe when doing business with you. To do this, your enterprise board and the CISO team need to change their working relationship to achieve a strong enterprise security posture. The trust that used to be a given increasingly requires proof.

What does the executive board need to do? Empower the CISO

The enterprise executive board has traditionally lacked experience and expertise in cybersecurity. It’s all very well to understand that cybersecurity is an important issue, but the knowledge is useless if the enterprise is not able to achieve a meaningful cybersecurity strategy. Our top three tips for the executive board are

1. Add your chief information security officer (CISO) to the board. Security is such a large concern for any customer-facing business that you must address it at the board level. Enterprises can effectively manage this requirement by having an expert voice that provides a reality check for decisions without delay. Also, a CISO needs to be involved in enterprise strategy discussions to fully prepare or advise on the effect that strategy will have on security.
2. Let your CISO control his budget. Too often we see a CISO reporting to a CIO, which can compromise spending on cybersecurity. Your CISO is typically a subject matter expert, so listen and invest accordingly—security ultimately protects your brand. Empowering your CISO to make important decisions and investments on an ongoing basis is crucial to achieving a robust enterprise security posture.
3. Support your CISO. Our research shows that while many enterprises have identified security as a top-three initiative, the executive board still fails to provide adequate support to the CISO. Exhibit 1 shows the biggest inhibitor to organizations security is a lack of support from the C-Level.

Exhibit 1: Lack of C-Level support puts the security of an organization at risk

Which of the following are the biggest inhibitors to your organization’s security readiness? (top inhibitor) N=300

_{Source: HFS Research, 2019}

In return, the CISO needs to get business savvy or work elsewhere

HFS estimates that CISOs only keep their jobs for three years on average. They are not typically incompetent, but they often lack business acumen. The board, therefore, fires them, or the CISO becomes frustrated and moves on. Our top three tips for CISOs are:

1. Position security as a business enabler to the enterprise strategy. Stop talking about security in technical terms and presenting the negative connotations to the business in the event of inadequate security. Always talk about security as an enabler.
2. Consider using a security service provider to help you to develop your business case. For example, Accenture offers a CISO Advisory Workshop to its clients. This includes a deliverable of an actionable plan and assistance to execute on that plan. Many service providers who work closely with boards understand how to communicate with them successfully, so reach out to them if you need help.
3. Take an interest in the enterprise strategy, whether you are on the board or not. Not only does this position you as a business enabler, but it also helps you plan your team’s security requirements better.

The Bottom Line: The executive board and the CISO need to change their approach to cybersecurity to effectively protect their enterprise

Security is no longer a dirty word—a digitally enabled business needs to think about cyber security as part of its day-to-day and strategic decision making. The absence of a close working relationship between executives and a CISO will leave an enterprise vulnerable.