Security Leaders Urge C-Suite to Step Up in Cybersecurity
Security experts are urging top executives and boards to enhance their cybersecurity efforts. The rapidly evolving threat landscape and increasing regulations mean that companies face significant financial, reputational, and even national security risks.
Traditionally, there has been a power struggle between security leaders and boards, hindering collaboration. Can the C-suite and security leaders find common ground? Techopedia seeks insights from industry experts.
Key Points- Understanding Gaps: Many boards lack a basic grasp of cybersecurity, making it hard for them to assess risks and hold leadership accountable.
- Communication Issues: Security leaders struggle to effectively communicate with boards, often relying on data rather than compelling stories.
- Conflicting Priorities: Boards focus on short-term gains, clashing with the need for long-term cybersecurity investments.
- Necessary Changes: Boards must include cybersecurity experts, improve communication, and prioritize investments in cybersecurity.
- Understanding Gaps: Many boards lack a basic grasp of cybersecurity, making it hard for them to assess risks and hold leadership accountable.
- Communication Issues: Security leaders struggle to effectively communicate with boards, often relying on data rather than compelling stories.
- Conflicting Priorities: Boards focus on short-term gains, clashing with the need for long-term cybersecurity investments.
- Necessary Changes: Boards must include cybersecurity experts, improve communication, and prioritize investments in cybersecurity.
Unraveling Contradictions in Executive Boards Today
Surveys highlight a persistent conflict between boards and security teams. For instance, a Fortinet report shows that 97% of security leaders believe their board views cybersecurity as a business priority. Yet, Trend Micro research reveals that most CISOs feel pressured to downplay cyber risks by their boards.
Techopedia delves into these contradictions with insights from top cybersecurity leaders.
Michael Marcotte's Insights
Michael Marcotte, founder of the U.S. National Cybersecurity Center and artius.iD, emphasizes the widespread lack of fundamental cybersecurity knowledge among board members. He points out that many board members are concerned but don't know where to begin.
Marcotte advocates for having a cybersecurity expert on every board to guide these efforts effectively.
The SEC Rule: A Missed Opportunity
Eric O'Neill, a former FBI operative and founder of The Georgetown Group and Nexasure AI, discusses the 2023 SEC rule on cybersecurity risk management. Although the initial proposal required boards to disclose cybersecurity expertise, the final rule did not.
O'Neill argues that boards often lack the understanding needed to independently assess cybersecurity risks, leading them to rely on management. He suggests that boards seek external consultants to help them understand and manage these risks.
Aligning Priorities
The disconnect between board members and security teams is evident. A Trend Micro report indicates that 34% of security leaders feel their boards see them as repetitive or nagging. To bridge this gap, security teams are investing in better communication, using data storytelling, and creating compelling presentations.
Marcotte believes that boards need to take cybersecurity more seriously and fight harder to secure talented experts.
Effective Communication Strategies
O'Neill shares that storytelling is crucial in convincing boards about cybersecurity importance. He recommends walking board members through a real cyber attack scenario to illustrate the disruption and damage it can cause.
O'Neill also stresses the importance of boards understanding their role in cybersecurity, especially in light of new SEC rules.
"A key responsibility of a board of directors is to oversee the company and its leadership. If the board lacks a basic understanding of cybersecurity and its importance, they can't effectively do their job."
Modernizing Board Approaches
Many boards have not kept pace with modern business needs, often prioritizing finance and legal expertise over cybersecurity. Marcotte likens this to a soccer team without defenders.
O'Neill adds that budget constraints often lead to cybersecurity being one of the first areas to face cuts, which is risky in today’s environment.
Winning Board Support
Itay Glick, VP of Products at OPSWAT, explains that boards are typically focused on ROI, making cybersecurity decisions challenging. Security leaders need to translate complex threats into clear business impacts, showing risks in financial terms and aligning their strategies with market trends.
By doing so, they can gain the necessary support and resources to bolster their organizations' cybersecurity defenses.
"Security leaders can gain board support by breaking down complex threats into understandable business impacts. This involves showing the financial risks versus costs, explaining why cybersecurity is crucial, and highlighting what other companies are doing in the same area."