CISOs and Board Members Remain Divided on Cybersecurity
Recent research sponsored by Focal Point Data Risk shows little consensus between chief information security officers (CISOs) and board members when it comes to conveying the value of an enterprise cybersecurity program, assessing the program’s effectiveness and measuring security risks.
The Cybersecurity Divide
Focal Point’s Cyber Balance Sheet Report 2017, independently conducted by the Cyentia Institute, includes one-on-one interviews with more than 50 CISOs, 25 corporate directors and 10 subject matter experts. The study analyzes how board members and CISOs perceive each other’s roles and responsibilities when it comes to security.
As it turns out, corporate directors and CISOs aren’t seeing eye to eye on security’s main role. For instance, board members cited data and brand protection as the primary value of cybersecurity to the business, while CISOs rank these two pillars as the least critical. In addition, board members cite guiding and enabling the business as the least valuable to security needs, while CISOs prioritize these efforts.
The report shows that key performance indicators pursued by each side are also widely disparate, causing board members’ confidence in CISOs to diminish. In fact, confidence in the security program’s effectiveness at the board level comes in at a mere 5 percent. Yet CISOs are considerably less doubtful about the efficacy of their security program, with 42 percent feeling confident. Conversely, 49 percent of board members expressed a lack of confidence in their organizational security controls, while only 13 percent of security executives agreed with that sentiment.
The difference in opinion between both groups boils down to justification of the program itself.
“The ability to express what you get for your money in an impactful way is a critical prerequisite to building confidence in the value of a cybersecurity program,” John Madelin, CEO at Reliance acsn, according to the Cyber Balance Sheet report.
Creating a Balance Between Business and IT
Divided opinions between board members and CISOs when it comes to interpreting the value of a cybersecurity program may be attributed to weak rhetoric on the part of security executives about the need for risk mitigation efforts.
“CISOs [are] very good at presenting ‘blood in the streets’ and very bad at presenting strategy on how to avoid it,” John Pescatore, director of emerging security trends at the SANS Institute, told Dark Reading. To bridge the divide and instill board confidence, security executives must present meaningful metrics that can be tied to business outcomes.
“A [board member] favors metrics combined with an intuitive story. But it has to be a narrative they can understand,” said Daniel Kennedy, an analyst with 452 Research, according to Dark Reading. “The somewhat difficult, technical problem of security needs to be described in layman terms that go just deep enough for very intelligent people, who happen not to be security experts, [to understand],” Kennedy says.
Business and IT must align around cybersecurity program goals that mitigate risk and allow the business to achieve its vision.