Boards Challenged to Embrace Cybersecurity Oversight

Cybersecurity failures are now business risks that CEOs and Boards must own. The world of business owners, investors, and their representatives are collectively realizing the potentially catastrophic impacts of cybersecurity incidents if not incorporated into the strategic management of the most senior business leadership. Many regulatory bodies, insurance providers, business partners, and customers take cybersecurity very seriously and now hold the CEO and Board accountable. As a result, the oversight of cybersecurity is being elevated to the CEO and Board of Directors.
The newfound importance has rapidly elevated the career trajectory of security leaders into the ranks of the C-suite. The adoption of the Chief Information Security Officer (CISO) role is now common in medium to large businesses, and these professionals have a growing amount of visibility to the CEO and senior staff. Boards too are now under pressure to include oversight of cybersecurity as part of their fiduciary duties. CISOs have become a focal point, being the leader and subject matter expert, often providing regular status reports and conversing directly with the Board. This was unheard of just a few years ago when many top information security leaders were no higher than the Director level, existing several layers removed from the CEO with limited influence.
Times change.

Newfound Connections Between the Board and CISO

Most CISOs now have a regular audience with their respective Boards. For privately held companies, nearly 39% of CISOs provide reports to the Board of Directors quarterly, and 74% at least once a year. For Publicly traded companies, the numbers are even higher, with 89% providing a report at least once a year. Never has the CISO benefitted from such exposure to the Board as they do today. (Source: Hitch Partners 2024 report)
With that newfound engagement comes expectations. Boards feel the pressure to oversee cybersecurity in the same strategic manner they manage other business risks, operations, and long-term strategies. However, most Board members are not familiar with the chaotic, ambiguous, and non-linear world of cybersecurity. It seems like it would be relatively simple, but the deeper one goes, the more it is revealed to be atypical and unpredictable.
Given the potential stakes, it is common for Fear, Uncertainty, and Doubt (FUD) to run rampant at the most superficial level because value is difficult to estimate. Regular tools, such as Return On Investment calculators, don’t apply. Potential losses seem obscured somewhere between zero and utter destruction. It is not uncommon for cyber risk estimates to be orders of magnitude off. The metrics for investment, success, and optimization are not robust or mature for cybersecurity, as they are for other domains the Board oversees. Even the insurance industry cannot get an accurate grasp of cybersecurity. The result of this ambiguity is that every company and Board evaluates and measures cybersecurity differently. Understandably, it is an ugly mess that the Boards now feel burdened with.

New Challenges for Board Oversight

Normally, when faced with new challenges, the Board would simply enlist the assistance of an executive expert to help fill in the gaps, make recommendations, and provide answers to the myriad of deep questions from Board members. Unfortunately, that is not working very well today when Boards call upon the CISOs. This is because most CISOs grew up from the technical ranks and rose quickly into management positions, without the benefit of business leadership and communication skills. It is very common that CISOs find themselves unprepared to effectively convey pertinent information and collaborate well with the Board. They are experts at the technology aspects of attack prevention, detection, and remediation, but not corporate savvy to explain the relevance in business terms that the Board can embrace.
The combination of Board unfamiliarity with cybersecurity and the CISOs’ less than mature skills to convey cyber risk in terms of business relevance, creates a chasm where Boards feel deficient in their new responsibilities to oversee cybersecurity and CISOs realize they are ineffective at explaining the significance, value, and unpredictability inherent to managing cyber risks.
This chasm must be crossed in order to establish productive communication and effective collaboration. CISOs must grow to fill the elevated role, but at the same time, the Boards must evolve as well.
Boards must improve their ability to absorb critical cyber risk information to make good business decisions, establish optimized cybersecurity goals for the CISO based upon overall business strategies, and properly support the effort to achieve those objectives.

Envisioning Board Needs

To set cybersecurity risk goals, decide on business risk tradeoffs, and be confidently accountable for the security of the organization, Boards need more than just information. They need a framework that paints an overlay to the business so opportunities and issues can be identified and strategies be pursued. Understanding cyber risk at this level is not about technology, telemetry, or security operations actions.
Instead, cybersecurity data must be transformed into business information with context on how cybersecurity may impact the core business or future plans. It must convey not only the risks but also the potential benefits of how cybersecurity can add additional value, improve competitive advantage, preserve important relationships, or contribute to the bottom line.
CEOs and Boards engage with CISOs in several ways:
CISO and Board Collaborative Objectives and Results — © Matthew Rosenquist

Adapting to Challenges

Both CISOs and the CEO/Board must work to close the gaps. A big challenge for any board is to understand the nuances of how cyber risk varies from other business risks. It must be handled with a different framework, that incorporates agility to counter adversaries who can operate without the burden of rules, in a highly chaotic and ambiguous environment, and with objectives that impact every aspect of the business. With the right framework, that has little requirement to understand technical details or operational minutia, Boards can adeptly incorporate cybersecurity into their normal business oversight processes with confidence.
The CISO Transformation — A Path to Business Leadership
As I outlined in a previous article “The CISO Transformation — A Path to Business Leadership”, much of the onus rests with the CISO to better communicate and represent what the C-suite and Board needs. It is necessary that a transformation of the CISO occurs so they may better communicate to provide relevant and understandable guidance — thereby enabling collaborative organizational strategic planning, compliance, and enterprise risk management.
A Board must also adapt so it can successfully position itself to integrate cybersecurity factors into the greater business oversight and make well-informed decisions that represent the best course for the success of the organization. This includes being able to decide strategic tradeoffs and provide clear guidance for the CISO.
Success is a CEO and Board that are well attuned to the strategic business considerations so they may confidently represent the inclusion of cyber risks into the overall business risk picture at a level that aligns with their fiduciary responsibilities.

Guiding the CISO for Success

CEOs and Boards have the highest level of accountability and the CISOs are expert functionaries to deliver to the cybersecurity business goals. By evolving in parallel, both Boards and CISOs can bridge the communication gap, enabling more strategic oversight of cyber risks. Boards that establish clear frameworks, adopt informed risk strategies, and support the CISO in delivering relevant insights will be better positioned to manage cybersecurity as a core element of business success. This collaborative evolution is essential for organizations to thrive amid a rapidly shifting cyber threat landscape.