Few board-level topics have been as noteworthy or confusing
in recent years as cyber risk, and with it, the changing role of chief
information security officers (CISOs).
A pair of interesting studies released in recent months, Optiv Security’s The State of the CISO and NACD’s 2019-2020 Public Company Governance Survey, provide interesting insight into the state of the relationship between CISOs and boards of directors. These survey-based studies show how CISOs and boards view each other and cybersecurity, and perhaps even more interestingly, how they view their work relative to how others perceive their roles.
Boards and CISOs Are Better Aligned
The stereotypical storyline of the board-CISO relationship goes
a little like this: CISOs have trouble communicating with boards due to the
difficulty of connecting cybersecurity programs to business value. As a result,
directors think of CISOs as technical personnel rather than true C-level
executives, and CISOs think board members just don’t get cybersecurity.
However, Optiv’s recent report, which surveyed 100 CISOs from the United States and another 100 from the United Kingdom, indicates that this gap in perception is narrowing considerably. Ninety-six percent of respondents indicated that senior management and directors comprehend cybersecurity more fully now than five years ago, and 86 percent said they are getting more funding for their programs because of this improved understanding.
Similarly, NACD’s most recent survey of directors found that 79.3 percent of board members believe their board’s understanding of cyber risk has significantly improved compared to two years ago. Only 8.7 percent indicated they did not have enough cyber knowledge to provide effective oversight of cyber risks.
There’s Still Room for Improvement
While the communication gap between CISOs and board members
appears to be narrowing, there is still a bit of a chasm when it comes to
business priorities. According to the Optiv survey, 76 percent of CISOs feel that cybersecurity has become so important in
their organizations that “CEO tracks” for CISOs will start to emerge. Seventy
percent of US respondents and 64 percent of UK respondents said that executive
leadership at their company ranks cybersecurity as their top enterprise concern,
even if it slows down business.
But NACD’s survey shows that directors are not quite on the
same page when it comes to business priorities. Only 28 percent of responding
directors said they prioritize security above all else, even if it slows down
business, and 61 percent said that
cybersecurity should not be prioritized above overall business velocity.
While these numbers undoubtedly would have been far lower just a few years ago
(before directors began scaling the cybersecurity learning curve), they indicate
that CISOs may be a bit optimistic in their view of how boards prioritize
Breach Experience Is a Resume-Builder
Perhaps the most interesting finding across the two surveys
is how CISOs and boards view CISO breach experience. It was not long ago that a
breach hitting the headlines was a career-limiting event for CISOs. Today,
there is a greater understanding from boards that breaches are often
unavoidable, and it is the response to a breach that is the true measure of a
In Optiv’s survey, 58
percent of CISOs indicated that having breach experience on their resume increases
their chances of being considered for other CISO roles. This is a far
cry from just a few years ago, when a data breach was a “scarlet letter” on
CISO careers, and indicates a significant shift in how senior executives and
boards view CISOs and data breaches.
However, NACD’s survey validates that CISOs are actually
underestimating the value of breach experience on their career paths compared
to how directors view such skills. Ninety-two
percent of directors surveyed said that experiencing a breach makes a CISO
candidate more attractivebecause
they have expertise in helping companies respond and recover from a breach
The Relationship Continues to Evolve
These are only a few data points on the complicated
relationship between CISOs and their boards. However, the Optiv and NACD
surveys do reveal several important trends:
Cyber risk has become important enough that
cybersecurity is a board-level business priority.Directors are educating themselves on
cybersecurity and have a much better understanding of the risks and security
technology than they did just a few years ago. CISOs are emerging from the old perception of
being “technical personnel” to becoming legitimate C-level executives. The perceptions
around breach experience speak to this: there’s now an understanding that no
organization can stop all breaches, and the most important thing is to have an
experienced hand guiding breach response and recovery efforts.The cyber risk landscape is constantly evolving, and so
shall the relationship between CISOs and boards. It will be interesting to
watch how things progress in the years to come.
Mark Adams is the senior practice director of risk
transformation at Optiv.