According to recent research, more than a fifth of CISOs have faced pressure not to disclose a compliance issue. As their role expands within the boardroom, they encounter heightened responsibility for security breaches, putting them in a more susceptible position to executive influence when compliance risks emerge.
The findings from a report released by data management platform Splunk also indicate that 59% of CISOs are open to whistleblowing if their organization disregards compliance standards. Nevertheless, the necessity for some to resort to such extreme measures underscores a fundamental problem — a breakdown in communication between CISOs and corporate boards.
The disconnection often stems from a lack of understanding among executives concerning the intricacies and time investment needed to adhere to compliance regulations. Board members may underestimate the effort required by the security team and, when presented with delays or hurdles, might encourage CISOs to minimize or withhold issues rather than report them.
“While boards acknowledge the importance of compliance, many may not fully grasp or comprehend the effort needed to achieve it,” commented Kirsty Paine, field CTO and strategic advisor for Splunk, in The CISO Report.
“Lacking everyday insight, it is not surprising that board members assume it should be ‘simple’ or become bewildered when CISOs and their teams expend extended periods to establish and maintain a robust compliance posture.”
The research conducted by Splunk surveyed 500 security leaders, encompassing CISOs, and 100 board members across 16 industries globally to delve into the dynamic between cybersecurity decision-makers and executive teams. The results reveal an escalating presence of CISOs in corporate governance, yet persistent hurdles in aligning security with business objectives.
CISOs are starting to be included in the boardroom discussions due to the escalating cyber threats but are encountering increasing obstacles
As cyber threats surge, CISOs are taking on a larger share of responsibilities. The report indicates that 82% now report directly to the CEO, a significant rise from 47% in 2023, and 83% have regular participation in board meetings. Nevertheless, this enhanced involvement has not led to improved alignment between security units and senior executives.
The study disclosed that 94% of CISOs have endured a disruptive cyberattack, with 55% reporting multiple occurrences and 27% dealing with repeated breaches. Despite these threats, CISOs and board members remain at odds concerning essential priorities, budgets, and strategic direction.
SEE: Global Cyber Attacks to Double from 2020 to 2024, Report Finds
Even though CISOs have been granted the authority for strategic decision-making, the Splunk report underscored notable discrepancies between them and the rest of the board.
For instance, 52% of boards contemplate that CISOs dedicate most of their time aligning security efforts with business goals, yet only 34% of CISOs acknowledged this. In reality, according to 57% of CISOs, the bulk of their duties revolve around selecting, implementing, and managing technology.
CISOs also exhibit divergent priorities compared to the board. Over half, or 52%, prioritize embracing emerging technologies, whereas only 33% of boards concur. Similarly, 51% also rate enhancing and upgrading security personnel’s skills as essential, while a mere 27% of boards share this viewpoint.
Concerning compliance, merely 15% of CISOs view it as a primary performance indicator, likely due to many perceiving it as a routine exercise resulting in minimal security levels. Nonetheless, 45% of boards acknowledge its significance as a crucial metric.
CISOs are confident in their communication abilities, but evidence indicates the contrary
The Splunk report indicates that CISOs believe they effectively communicate with the rest of the board, fostering alignment on crucial matters. Notwithstanding, they might be overestimating their connections. 61% of CISOs feel harmonized on strategic security objectives, in contrast to 43% of board members. When it comes to conveying progress on security milestones, while 44% of CISOs rate their communication highly, only 29% of board members concur.
These communication barriers have tangible implications on business operations. For instance, only 29% of CISOs report possessing adequate funding for cybersecurity initiatives and goals, in contrast to 41% of board members. This insufficient investment exposes organizations to cyber threats. Of the surveyed CISOs, 62% who deferred technology enhancements due to cost-cutting disclosed experiencing successful breaches or attacks.
CISOs must enhance board communication by emphasizing numerical data
To mitigate cyber threats and enhance compliance concordance, security leaders must revise their approach when engaging with board members.
“Several boards state that they prioritize business expansion (44%) over bolstering the cybersecurity program (24%), meaning they lean toward endorsing cybersecurity initiatives that deliver the most value to shareholders and the organization,” noted the authors of the report.
Indeed, 64% of boards believe that portraying security as a business enabler presents the most effective strategy to secure additional funding, yet only 43% of CISOs adopt this approach. Approximately 46% of boards assert that highlighting costs like downtime and possible penalties constitutes the most persuasive argument during budget talks.
SEE: Downtime Costs World’s Largest Companies $400 Billion a Year
The responsibility is not solely on CISOs. Board members must consult the CISO as a principal stakeholder in decisions influencing enterprise risk and governance, emphasized the report’s authors.
“Despite these fissures, they share a joint responsibility in safeguarding the company. Boards safeguard profitability and stock value; CISOs safeguard data and systems. This is a foundation to build upon. Yet, it will necessitate communication, comprehension, and a substantial dose of patience to unite,” they concluded.
About Author
