How CISOs can engage the executive suite and board to manage and address cyber risk

The modern Chief Information Security Officer (CISO) has a tough job. Amid the myriad of malicious cyber threats trying to infiltrate their organization, CISOs must also effectively navigate other murky waters: engaging their C-suite and senior counterparts on cybersecurity matters. It’s a daunting task for which decades of technical training and cyber programming expertise alone are not enough.

The Securities and Exchange Commission (SEC) on July 26 finalized new cybersecurity regulations that require public companies to disclose cybersecurity breaches within four days, as well as raise the level of cybersecurity expertise of their Board of Directors and to oversee the management and assessment of cyber risks. The agency proposed these regulations in 2022 and the final decision is expected to come in October 2023.

Now more than ever, CISOs need to be well-positioned to inform and engage other leaders as organizations invest in digital transformation at scale.

In search of the latest and greatest technologies

The hyper-competitive landscape of our digitized corporate world drives business leaders to constantly seek out the latest and most innovative technologies that can lift them above the pack.

These technologies have evolved exponentially over the different eras of computing. It started with the centralized mainframe, then moved to microcomputers and PCs in the 1990s. Then came the age of the Internet, the mobile device revolution that followed in the 2000s, and the expansion into the cloud throughout the 2010s.

We have now entered another era of transformation: the current arms race of generative AI and machine learning (ML) which, while exciting, has ushered in a wide range of new operational risks for companies to manage. CISO.

Know when to say yes

The march towards streamlining business-critical functions, reducing bottlenecks and improving operational efficiency makes digital transformation a top priority for every organization. When revenue and customer satisfaction are at stake, it is imperative to adopt new technologies and understand the cyber risk associated with them.

For CISOs to be true business partners, it is not possible to say “no” to every new opportunity. Knowing how and when to say “yes” without compromising the organization’s security posture can be tricky.

This reinforces the importance of understanding how to simplify cyber risk for the executive suite and board in a way that fosters a collective understanding of its criticality. The role of the CISO is no longer to be a tactical facilitator or a pure technologist. It’s about being a transformative leader who closes the gap between organizational cybersecurity and business operations to drive market adoption and sustainable success.

Mobilize the C-suite: align cyber risk with business objectives

Effective C-suite engagement relies on simplifying the link between cyber risk and business risk. This requires deciphering the impact of a cyberattack in a way that does not paint a doomsday narrative, but clearly describes the serious ramifications it could have on core business objectives.

For a conversation with the CFO, that link could be financial losses associated with operational downtime caused by a ransomware event. For the CMO, it could be brand reputation damage after the leaking of personally identifiable information (PII) data on customers. For the COO, it could be a business interruption following a break in the supply chain.

The real name of the game is to convey the implications of inaction, tying it to the outcomes that mean the most to the respective leaders. Because let’s face it, conversations about the intricacies of extended detection and response (XDR) solutions, exfiltration, and distributed denial of service (DDoS) attacks will never fully resonate with non-technical audiences.

And, by extension, it can also come across as demeaning without the CISO realizing it, further infuriating the complexity of the cyber threat landscape.

Engage the board: build trust

As the nature of cyber threats continues to evolve, so does the regulatory landscape surrounding global cyber risks. With new SEC regulations in play, boards are finally beginning to grasp the urgency of cyber resilience in the digital age – becoming more committed to equipping organizations with the right resources to proactively protect data and defend themselves.

The ripple effect of this paradigm shift is that security leaders are now more than ever called upon by their boards for information and guidance. A CAP Group study earlier this year found that 90% of companies in the Russell 3000 Index did not have a single director with the necessary cyber expertise. In turn, CISOs are called upon to establish and maintain an open line of communication within the conference room.

Fast and continuous updates

As strict compliance requirements will soon be in play, the Council needs timely and continuous updates on the cyber threat landscape. Effective engagement in this context requires a good understanding of the ultimate goal. It’s not so much about asking the main governing body of the organization for budgeting or cyber approvals. It’s usually up to the C suite to decide.

Rather, it is a petition to trust that the organization is well placed to protect itself from a cyber crisis and mitigate its fallout in accordance with corresponding regulations.

Time is tight in conference rooms – CISOs often only have 15-30 minutes to get their point across. So, cut out the sprawling PowerPoint presentations and lengthy presentations and instead leverage hard-hitting storytelling techniques and logical real-world examples that elicit emotion.

It’s not just about expressing cyber risk. It’s about making them feel the impact of it.

Frank Kim is a Fellow of the SANS Institute and CISO in Residence at YL Ventures.