The cyber security function isn’t a back office team that is never seen and never heard. To truly protect the company, cyber security touches every corner of the business, and it starts from the top.
At ISACA’s virtual conference on 22 February 2024, I led a session on how CISOs can “attack the board’s mindset” to better align cyber security with governance. Without a foundational buy-in from the board, businesses are left vulnerable to cyber attacks with devastating consequences. If cyber security isn’t a priority, fewer resources will be allocated to cyber teams, which will end up sparsely populated and stretched for time. This weaker overall protection in turn opens up the area of attack for cyber criminals – many hackers don’t even want to make themselves known, but rather infiltrate a system and syphon data unnoticed for years. Fewer resources mean cyber teams are less proactive and more reactive, when the crucial element for success is to be one step ahead of the attackers.
Boards are not held accountable when a breach occurs; they are held accountable when they do not ask questions or do not adequately understand or test answers. That’s why the first mission of the CISO must be to ensure that the right questions are asked.
Aim for clarity on cyber security itself
Organisations need to be clear about their definition of cyber security. As technology evolves, so do the terms we use and how we understand them, as when ‘IT security’ slowly became ‘information security’, then ‘cyber security’, and is now wrapped up into a broader vision of ‘trust’. Board members need to have an understanding of all areas of the business and how cyber opportunities and threats might affect it, rather than just knowledge of one particular area. Without this, people are liable to make presumptions without properly understanding what is meant. If cyber security isn’t understood at a top level, it can be deprioritised or misinterpreted. The job of the CISO is to translate cyber security issues into business terms that make the issue known, understandable, and tangible to board members.
Get board members comfortable asking questions even if they don’t have the answers
Boards don’t ‘do’ – they ‘direct’. The questions that board members bring to the table are of vital relevance to the business, and they should not shy away from cyber security because they don’t have the right answers or solutions. They’re not expected to. As long as the board is asking the right questions, the cyber experts will have the answers – the key is curiosity, and to dig into the ‘why’ and the ‘what’ rather than the ‘how’. If these are addressed, the business will be in the best position.
Board members care about an organisation’s oversight, risk and culture, and must separate governance from management responsibilities. Cyber security is not a new responsibility of the board, it is a topic that must be considered when performing core duties.
For example, boards must foster conditions that let the business succeed. Because of this, they have a duty-of-care obligation to ensure proper cyber security governance. They must also prevent losses and mitigate conditions, and because of that ensure that cyber risk is managed following its approved risk appetite. Boards must enable a strategic direction that delivers value, and so policies and procedures to manage cyber risk need to be implemented. Finally, boards should not interfere with management decisions or operational issues, and because of that must focus on cyber-related questions that they could ask the management team.
Demonstrate that people, not technology, are at the heart of cyber security
When it comes to cyber security, it’s vital to think like the enemy and defend ourselves with the same technology that hackers use. In the digital age, technology has become democratised with widespread access, and therefore, investments in cyber need to be in technology as well as processes and people. Cyber investment should never be a choice between technology or people, but both – it’s not a question of humans defending themselves from technology but using technology to defend against others’ nefarious use of it.
All in all, the responsibility of cyber security is intersectional – a crossover between the board’s day-to-day responsibilities and their broader concerns of business oversight, culture, and risk. The board may not be directly accountable when a breach occurs. But they are accountable if they don’t ask the right questions or take the time to properly understand what is expected of them.
Bruno Soares is president of ISACA’s Lisbon chapter.