Cybersecurity in the Boardroom: 4 Reasons to Consider Adding a CISO to Your Board

When a single ransomware incident can cost tens of millions of dollars, many organizations are wondering if it’s time to add a CISO to their board and increase the focus on cybersecurity in the boardroom. According to the 2021 Global Chief Information Security Officer Survey, only 4% of CISOs currently sit on a corporate board. However, this report also finds that 90% of CISOs do present to their board or audit committee, but it can be at varying intervals – sometimes as little as once per year. As digital transformation and remote work dramatically increase our reliance on technology throughout every facet of an organization, this has started a call for more “diversity of thought” and cybersecurity expertise in the boardroom. In fact, Twitter’s CISO Rinki Sethi has joined ForgeRock’s BOD and is an advocate of more cybersecurity experts in the boardroom, stating, “Cybersecurity is talked about in the boardroom all the time; it’s one of the highest risk areas for companies.”

Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee – this is up from 10% today. But since the risk of a data breach continues to rise at an alarming rate, is it enough? According to the ITRC, “the number of publicly-reported data compromises through September 30, 2021 has exceeded the total number of events in FY 2020 by 17 percent…” This begs the question or whether the slow adoption rate of incorporating cybersecurity in the boardroom is leaving organizations at risk.

Evaluating Risk

These days, cybersecurity risk is business risk. In 2021, CAN paid a 40 million dollar ransom. This is just one example of many organizations that face devastating costs, and the ransom costs are just a fraction of the expenses faced by organizations that experience a data breach. With expensive remediation, lost business, and reputation damage, organizations can’t afford to overlook cybersecurity in the boardroom – it may be one of the most financially devastating business risks organizations face today. From proactive prevention planning to incorporating cybersecurity into new products and remote work polices, let’s look at the benefits an organization can gain with a CISO on the board.

What Benefits Can a CISOs Bring to the Board?

1. Reduction of business risk. Most board members typically have a background in finance or as a CEO. Finding cybersecurity experts in the boardroom is rare. In today’s digital world, it’s too big of a risk to leave cybersecurity considerations out of your product roadmap, partner/supply chain, organizational budget considerations, and risk planning. Without a CISO on the board, your BOD is unlikely to consider the cybersecurity implications of business decisions and major initiatives – what looks like a wise, efficient decision to the CFO can have hidden security risks and costs that a CISO can flag.
2. Building secure products and organizational processes from the beginning delivers better KPIs. One of the challenges many organizations face in today’s digital world is that they decide on products, services, environments, or organizational initiatives, such as remote work and digital transformation, without considering cybersecurity from the beginning. Then, the organization tries to “bolt-on” cybersecurity during or after the implementation. This frequently slows organization growth and the project implementation process; it makes organizations both less efficient and less secure than if cybersecurity is incorporated from the start. Organizations can improve several KPIs by incorporating cybersecurity as a foundational element.
3. Building a strong cybersecurity culture. An ounce of prevention is worth a pound of cure. Most organizations have a culture that impedes imparting difficult news to the board. No one wants to look bad in front of the boss, and this leads to a lack of shared context and visibility gaps regarding cybersecurity risks in the boardroom. Even when the CISO cites the risks in a presentation and gives it to the board member liaison, that message may be edited, and risks glossed over when reported to the board. Adding a CISO to the board can help your technical teams understand the KPIs that are crucial to the board and vice versa. It can also ensure that your business team is security conscious, and your security team is aligned with business priorities. This can change the culture of an organization to significantly enhance its cybersecurity. For more information on this topic, read our blog on the importance of cybersecurity collaboration.
4. Increase the longevity of your CISO. Turnover in the CISO position is very high. In fact, the average tenure for a CISO is 26 months. This turnover is detrimental to your cybersecurity program. The vast majority of CISOs cite extreme stress levels, with a number of CISOs concerned that they will be fired if there is a data breach. It can be especially frustrating since many of these CISOs don’t have adequate access to the board to ensure everyone understands the risks and implications of not funding the cybersecurity budget. With better collaboration on cybersecurity in the boardroom, CISOs may be in a less tenuous and stressful position.

What if your organization is not big enough for a CISO? How do you incorporate cybersecurity into the boardroom?

Many SMBs are not big enough to be able to afford or really need a full time CISO. In this case, you will want to focus on ensuring regular, honest communication between your organization’s technical leadership and your BOD. If your team does not have the level of technical leadership necessary to bridge the gap and discuss cybersecurity using language and examples the board will understand, your organization may want to consider adding a fractional CISO service to provide that high-level guidance, communication, and vision. This provides the benefits of the executive level advice at a more affordable price, and a fractional CISO arrangement can be structured for only the hours your organization requires.

With today’s cybersecurity risks and data breach expenses reaching frightening heights, it’s crucial to ensure every organization incorporates cybersecurity into every level of the organization. From product planning and new business initiatives to internal processes, cybersecurity should be a foundational consideration to reduce risk in your organization. Perhaps it’s time for your organization to consider adding a CISO to the board or look at other ways to increase the focus on cybersecurity in the boardroom. We hope you found this information helpful. Contact us if you need additional help assessing or creating policies and processes to reduce the cybersecurity risk in your organization.