Why Cybersecurity Is Now A Board-Level Leadership Imperative
We are not hearing enough about the short tenure of the chief information security officer (CISO). Regular studies place it in the region of two years, and anecdotal evidence from my own network, based on the analysis of the profile of 15 current CISOs, points toward 30 months.
It is often the symptom of serious underlying issues and the cornerstone of long-term stagnation for many cybersecurity practices in large firms. We have to look beyond the most commonly cited reasons: lack of resources, disconnect with management and constant firefighting leading to mental health issues and burnout. All three aspects, in my opinion, point toward the profile of the CISOs themselves.
Not all organizations are doing well, and not all organizations are well managed. But it is hard to imagine one where senior executives and board members would be insensitive to cybersecurity issues, given the level of media coverage of the past decade and the nonstop occurrence of cyberattacks.
In my experience, many organizations have reached a point where executives at those levels are rarely challenging the amounts spent on cyber—they are more concerned about ensuring enough is committed to protecting the business. In such a context, CISOs failing to obtain the resources they deem necessary to do their job should ask themselves where this is going wrong.
More often than not, the problem is rooted not so much in the amounts involved or the storytelling by the CISOs but in the excessively technical focus of the demands and the trust in the CISOs to execute what senior executives are asking.
Let’s not forget that the role of the CISO is rarely a board-level construction engineered top-down. At best, it has evolved bottom-up out of a technical context. In most cases, it is still a technical construction rooted in IT matters. Many senior executives and board members have become immune to these multimillion tech projects pushed forward by fresh-faced CISOs who leave after a few years for a bigger, better job elsewhere.
In large firms, it can be hard to get things done on a complex topic such as cybersecurity, which cuts across all corporate silos, particularly where maturity levels are low and radical change is required. It requires time, persistence and relentless drive.
On cybersecurity matters, the penny dropped years ago in the boardroom around the “when-not-if” paradigm, but CISOs need to understand how much this is changing the nature of the agenda for senior executives. This is no longer just about risk or putting ticks in compliance boxes at minimal cost; it’s a matter of business protection and, as a result, the actual execution of protective measures becomes paramount.
But CISOs have been poorly prepared in the last decade for the type of management challenges involved in this shift.
They continue to understand “when-not-if” as meaning “whatever-we-do-we-will-be-breached.” They see the value they bring as being rooted simply in the short-term tactical and technical firefighting of cyberattacks and not so much in the actual implementation of good practices with the view of delivering a degree of long-term and lasting protection across the firm.
That’s the root of the disconnect between CISOs and many senior executives: They are often prepared to consider large investments around cybersecurity, but they expect to be given a sense of perspective, credible execution to follow and some degree of protection to result from it—not just constant demands to buy more tech, covered in technical jargon, every time something happens.
All of this breeds frustration, which breeds mutual distrust, and distrust breeds unwillingness to commit resources. This is the vicious circle that feeds short tenures.
In practice, short tenures breed long-term stagnation: You don’t achieve a lot in large firms in two or three years. Often, very little gets done beyond tactical measures and alleged technical low-hanging fruits. Projects are frequently aborted or left unfinished, as the next CISO has other views or business priorities have changed.
To break this spiral of failure, in particular where maturity is low and things need to change, the board needs to take ownership, assign clear responsibility for cybersecurity to a senior executive they trust at their level and start driving the topic top-down with a sense of long-term perspective, looking beyond the day to day of the business.
Board members often object that they simply don’t have the skills to do that, but this is a misconception and they must not stop at that hurdle. Cybersecurity is not just a technology problem—it never was. It is a problem rooted in culture and governance, which happens to have a technology dimension like almost everything large enterprises do.
Getting the governance right from the top down around cybersecurity is a leadership matter—which fits perfectly in a board agenda—and the necessary start to embed the right business protection culture in each and every corporate silo. Middle management needs to see the right attitude, the right example and the right message coming consistently from the top around cybersecurity and, in most cases, given the right support, they will follow.
Good cybersecurity is quite simply good business; it protects the firm and its customers and builds resilience. Supporting it and promoting it has become a matter of good leadership.
Article link – https://www.forbes.com/sites/forbesbusinesscouncil/2022/05/19/why-cybersecurity-is-now-a-board-level-leadership-imperative/?sh=64b985c94270