- There is a huge gap between the views of senior executives/boards of directors and CISOs when it comes to managing cyber risks
- To bridge that divide, CISOs need to speak the language of business risk, while executives must remove the blinders that keep them from seeing the depth of the problem.
A couple of recent studies that came to light underscore the very large disconnect between boards of directors/CEOs and the CISO when it comes to managing cyber risks. In the “Governance of Enterprise Security: CyLab 2012 Report,” conducted by Carnegie Mellon CyLab for RSA, some very disturbing findings came to light from the energy/utilities sector. That study, scrutinized whether boards and CEOs were carrying out fundamental cyber governance tasks and discovered that 71% of those boards rarely or never reviewed privacy and security budgets, 79% rarely/never reviewed roles and responsibilities, 64% rarely/never reviewed top-level policies and 57% rarely/never reviewed security program assessments. This, in a highly regulated and essential industry.
The other survey of 300 IT security professionals at Infosecurity Europe, conducted by Cryptzone, found that 52% of respondents believe that boards have access to the enterprise’s most sensitive information while having the least understanding of security. It also found that more than half of those security professionals think that executives and directors believe that they are above having to comply with their organization’s security policies and procedures.
It’s easy to assign blame – CISOs aren’t communicating in a language spoken by business leaders (the language of business risk) and directors are putting their heads in the sand and giving short shrift to a critical business problem. At the recent IT Security Analyst & CISO Forum in London, one CISO from a large multinational said, “In reporting security metrics to boards (of directors), they want to know ‘how secure are we and what’s the trend’, and you get one line to answer it.” At the other end of the spectrum, another CISO in the same exchange urged colleagues to build relationships and gain support from the CFO by speaking “the same language…At the end of the day it’s about us becoming more business managers than technology managers.”
The inflammatory headlines for those studies asserting “clueless” boards and the “flouting” of security policies by executives and directors should serve as a wake-up call to both CISOs and the boards they should be communicating with. Hiring a CISO, maintaining the same (or ever so slightly higher) IT security budget and assuming the problem is taken care of while a constant stream of breach headlines proves otherwise is not good risk management. Conversely, CISOs need to communicate the issues in terms of business risk, rather than technology, vulnerabilities or threats.
Not all boards are so clueless, and new SEC guidelines that came out late in 2011 could help to better align boards and the CISOs that report (directly or indirectly) to them. The SEC guidelines mandate that publicly held companies disclose any security events that materially impact the organization’s products, services, relationships or competitive stance or if those events could make investing in the company more risky. Meanwhile, another IT security executive at the CISO Forum in early May said that he is seeing more boards taking direct sponsorship of security initiatives.