How CISOs can cut through corporate politics

A cybersecurity expert shares three tips for ensuring cybersecurity professionals get heard at the board level.
11 September 2020

CISO’s need a louder voice in the boardroom. Source: Shutterstock

  • Cybersecurity professionals are burnt-out and overworked, and struggle to acquire the resources they need
  • Security is a top business priority, but there is a lack of clear definition as to the influence of the CISO
  • Cybersecurity expert Galina Antova shares three tips for cybersecurity leaders to get their voice heard

No business leader with a grain of common sense would doubt the importance of cybersecurity today.

Colossal data breaches and shatteringly costly ransomware capture headlines of the mainstream press regularly. The dangers to business are well-documented, well-publicized, and should be a constant consideration hand-in-hand with pretty much every operational decision today.

The strains, stresses, and complexities of keeping a business network secure have only been highlighted this year. While spending on tech solutions briefly stagnated, investments in cybersecurity were the most stable, even while businesses entered a barebones survival mode. But that’s not to say the security function is sucking in dollars.

The establishment of the cybersecurity arm of the business — comparable to the hardhats and safety procedures of a construction site, or the flak jacket in a warzone — remains insubstantial. A recent survey by the Chartered Institute of Information Security (CIISec) on security professionals found that four out of five believe that security budgets aren’t keeping pace with the rising threat. In the face of more frequent and sophisticated cyberattacks and increasing customer intolerance for data mishandling, business cybersecurity specialists aren’t getting the support they need.

In the face of this challenge, businesses simply hope to cope with fewer resources (64%) or let routine or non-critical tasks slip (54%). Just 4% would consider actually increasing resources. The individuals with these rare and valued cybersecurity skillsets are voting with their feet — 54% of respondents had either left a role due to overwork or burnout or knew someone who had.

A leadership question

Galina Antona, a cybersecurity expert and co-founder of Claroty.

Root to this dearth of resources is not due to lack of recognition as to cybersecurity’s importance, but a lack of clear definition as to the influence of the chief information security officer (CISO) or their equivalent within the business. Cybersecurity Ventures predicted that 100% of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021. But to whom this executive should report to and what influence they should have remains a wider point of contention.

“The board’s main concerns are revenue and risk. We in the cybersecurity industry know that cyber risk is something that should come under this umbrella, however it is not always top of the executive priority list […],” said Galina Antova, a cybersecurity entrepreneur and executive with over 15 years in the cybersecurity industry, and co-founder of Claroty.

“A lot of the reasoning behind that is a lack of education and a lack of technological representation at the board level, where historically many of the board members have hailed from predominantly financial backgrounds.”

Business cybersecurity executives don’t always have a seat in the boardroom. Subsequently, they’re not always heard by the final decision-makers and budget holders. “CISOs can bring a ton of value to board-level conversations,” said Antova.

“They need to have the chance to elevate the conversation around cybersecurity issues with the other major stakeholders in the business – CIOs and CDOs in particular – at the board level in order to ensure total business alignment. Once given the chance, CISOs can play a key role in helping their organization to identify and consequently reduce risk, something which can be exceedingly complex.

“[…] organizations across the globe must look towards a future with more technology expertise at the helm of their leadership.”

Three ways to cut through

Boards that lack this specialized perspective and expertise may fall into complacency or a false sense of security. Business leaders may mistakenly believe they have all bases covered, or miss the chance to make important strategic changes simply because they lack the necessary background to understand the full potential that technology can unlock.

“By giving more CISOs a seat at the table, enterprises will be able to move forward with digital change initiatives much more effectively and efficiently, ensuring they are prepared for whatever the future may throw their way,” said Antova.

While it shouldn’t fall to cybersecurity leaders to fight for their influence, Antova had three initial pointers for CISOs to begin cutting through corporate politics:

# 1 | Change your narrative 

Cybersecurity leaders should change their narrative to the board in order to fully represent the technology agenda in a way that leadership will understand, and that’s meaningful in terms of their goals for the business.

The board is always going to be concerned with what competitors are doing, for example, so provide insight into the competitive advantages that technology and digital transformation can enable and the steps the organization needs to take to get there. “One of those steps, of course, includes securing the organization from new risks introduced by digital transformation,” said Antova.

# 2 | Explain the threat

Although there is still progress to be made, IT security is emerging as a board-level discussion topic and starting to be considered an operational risk that could affect revenue. However, security in areas like operational technology (OT) in physical industry still has a long way to go in getting on the agenda.

“OT security is undoubtedly going to pose a risk to your business so make it more of a priority by explaining to the board that when operational technology networks are neglected, the impact of those breaches is much higher compared to those on IT networks, and therefore likely to be even more costly,” said Antova.

“Cybersecurity is such a fluid industry, so education will go a long way.”

# 3 | Set benchmarks

Simply discussing cybersecurity as a priority isn’t enough; action will only happen consistently when goals and benchmarks are set, from which to allocate budget, acquire resources, and track progress. Setting goals and timelines, and making security a systematic, ongoing process will enable cybersecurity leaders to secure buy-in from the board

“I’d advise you to help the board to set benchmarks so they have a level of responsibility when it comes to security initiatives and you can secure the proper and appropriate budgets needed,” Antona said.