CISOs facing boards need better business, communication skills

As information security becomes a more important topic of interest, CISOs are increasingly asked to step up and brief boards on cyber issues

As information security becomes a more important topic of interest for corporate boards, CISOs are increasingly asked to step up and brief boards on cyber issues -- which means they need to become better communicators, and have a broader understanding of business needs.

According to a recent survey by Veracode and the New York Stock Exchange, 80 percent of boards discuss cybersecurity at nearly every board meeting.

"It's become a really serious issue," said Chris Wysopal, CTO and CISO at Veracode.

Communication skills

Despite the growing interest in cybersecurity, boards still have a long way to go before they're fully educated about cybersecurity.

According to a June study by Fidelis Security and the Ponemon Institute, 26 percent of board members admit to "minimal or no knowledge" about cybersecurity, and only 33 percent say that they are "knowledgeable" or "very knowledgeable."

[ ALSO ON CSO: How CSOs can help CIOs talk security to the board ]

This lack of education is combined with an over-inflated view of their company's security -- 70 percent of board members said that they understand the security risks to the organization, but only 43 percent of IT security professionals agreed that the board understood the security risks to the organization..

Only 18 percent of IT security professionals rated their companies' cybersecurity governance practices as very effective -- compared to 59 percent of board members.

This is a difficult communications gap that needs to be addressed on both the board level and by CISOs themselves.

But that doesn't mean that boards want to hear about all the technical details of the latest security technologies.

"Boards want the CISO to give them risk metrics and peer benchmarking," Wysopal said. "They want to know how they're doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity."

Instead of focusing on vulnerabilities, or tools deployed, CISOs should focus on easy-to-understand metrics that show how effective the company is at managing security, said Matt Alderman, vice president of strategy at Tenable Network Security.

"This requires top line metrics associated with impacts to the business," he said. For example, that could be the amount of money lost due to security failures.

Operational metrics could also be useful, he said, such as reducing the potential attack surface.

"My job is to facilitate the awareness of risk and be in a position of educating my leadership about what risk they are willing to accept," said Paul Calatayud, CISO at Surescripts.

Business know-how

Surescripts processed 6.5 billion transactions last year for 98 percent of U.S. pharmacies, so the worst-case cyberrisk scenarios are pretty bad.

Despite that, Calatayud said he doesn't pitch new security projects to the board based on improving security, but based on increasing business value.

Paul Calatayud, CISO at Surescripts

For example, medical fraud has an impact on the company's brand and reputation, so Calatayud started out by getting the marketing department to understand the net benefit of that particular project.

Join the CSO newsletter!

Error: Please check your email address.

Tags educationcyber security

More about CSOTenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place