5 steps boards can take to empower CISOs and strengthen their relationship
In today's volatile cybersecurity landscape, the role of chief information security officers (CISOs) has become increasingly critical, and more intensely scrutinized than ever before. The SEC’s recently enacted cyber breach disclosure rules – a regulatory response to events like 2020’s massive SolarWinds hack and former Chief Security Officer Joe Sullivan’s personal liability for covering up a cyber breach at Uber – have heightened concerns among U.S.-based CISOs about their responsibilities. Similarly, new and emerging regulations across the globe, such as NIS2 and DORA in Europe, and Australia’s Privacy Legislation Amendment of 2022, have elevated the pressure on CISOs and other security professionals.
These mounting pressures have highlighted the need for CISOs to be able to interact more closely with board directors. Likewise, as a result of these headwinds, many directors want a stronger relationship with their CISOs to ensure the directors have a solid understanding of their company’s security program. Strengthening the director and CISO relationship pays off: Recent research from Diligent Institute and Bitsight demonstrates that a lack of connection between a board and its CISO can in turn diminish overall company performance.
At a dinner that Diligent hosted during the 2024 RSA Conference, I had a chance to explore the dynamics of the board/CISO relationship with several directors and CISOs. What I learned is that many CISOs feel they lack a true seat at the table and a clear ability to communicate risk and strategy effectively with board members. And directors similarly feel this lack of connection. With heightened regulatory requirements and liability, this challenge facing CISOs is even more acute. From directors in attendance at the dinner, it was clear that directors want to hear from CISOs and view cybersecurity as a business issue.
So what can be done about the disconnect?
Based on my conversations with CISOs and directors, I’ve put together the top five ways boards can empower their CISOs and foster a more robust partnership – demonstrating directors’ commitment to cybersecurity and acknowledging the expertise and insights that the CISO brings to the table. Following these five steps will benefit the board, the CISO and the organization as a whole.
1. Ensure adequate protection for CISOs
One of the fundamental ways boards can empower their CISOs is by ensuring they have the necessary protection and support. Directors should consider two key aspects:
- D&O insurance: Boards should ensure that CISOs are covered by the company Directors and Officers (D&O) insurance policy. CISOs may not typically be covered because the role has not historically been a "board appointed” role. This coverage provides financial protection for CISOs in the event of legal action or claims arising from performing their job. By providing D&O insurance coverage, boards demonstrate their commitment to supporting their CISOs and recognizing the importance of and inherent risk associated with their position. It also provides legal assurances to the CISO, similar to those that the CEO, CFO and GC are typically provided.
- Indemnification coverage: Boards may want to also consider providing CISOs with indemnification coverage through an indemnification agreement. These agreements protect CISOs from personal liability and provide reassurance that they will be supported in the event of legal challenges related to their cybersecurity responsibilities. Indemnification agreements can help alleviate concerns and enable CISOs to focus on their critical role without fear of personal repercussions. An indemnification agreement may not be required depending on whether the CISO is covered by the company’s D&O insurance and the terms of that coverage.
2. Establish regular board/CISO check-ins
Often, leadership teams inadvertently isolate the CISO from direct engagement with board members. While managing executive interactions with the board may be well-intentioned, it can also create a real or perceived barrier for CISOs to have an avenue to discuss risks and strategy directly with the board. To bridge the gap between CISOs and board members, it is crucial to establish regular communication channels between the board and the CISO. The director on the board who manages oversight of cybersecurity – whether that’s the audit or risk committee chair, the lead director or board chairperson or the director who is the “cyber champion" on the board – should proactively set up monthly or quarterly check-ins with the CISO.
By explicitly granting permission and encouraging regular interactions, directors empower their CISOs to share their expertise, insights and concerns directly with the board, while keeping the board well-informed on cybersecurity matters. This dedicated time allows for open discussions, updates on cybersecurity initiatives and the opportunity for the CISO to seek input and guidance. This engagement also helps align the CISO's priorities with the board's strategic objectives, ensuring a cohesive approach to cybersecurity governance.
CISOs may not have the ability or comfort level to request time with board members. Board members should take the first step to establish this regular communication channel and remove any barriers.
3. Set the tone internally and prioritize cybersecurity at board meetings
Boards have the power to set the tone internally and prioritize cybersecurity within the organization. It is essential for boards to recognize that cybersecurity is not just an IT issue but a critical business matter. By emphasizing the importance of cybersecurity at the board level, directors send a clear message to the entire organization about the significance of protecting sensitive information and mitigating cyber risks.
Furthermore, boards should prioritize cybersecurity on the board agenda, ensuring that it receives adequate time and attention. Many board meetings face a similar challenge of time management whereby business, finance and strategy topics dominate the agenda, at the expense of topics like cybersecurity. Boards can overcome this challenge by shifting certain work to committees like audit or risk, or by dedicating time in the board calendar on a periodic basis to topics like cybersecurity. For example, a quarterly security review at the committee level and an annual security review at board level, combined with board-level education on cybersecurity, ensures that this mission-critical business function is given appropriate importance and that the board meets its obligations. By dedicating sufficient time to cybersecurity, boards demonstrate their commitment to cybersecurity and empower their CISOs to address key concerns effectively.
4. Encourage the GC to help the CISO deliver effective cybersecurity presentations
Of course, boards must expect their CISOs to structure effective cyber presentations. To facilitate meaningful boardroom discussions, CISOs should shape their presentations to the board around specific themes and provide the relevant, contextualized data in the board’s language.
The general counsel or chief legal officer has extensive experience in this arena, which can help guide a CISO who is newer to the boardroom. The CISO should focus on four to five key questions or areas of concern – which the CISO and their main contact on the board should already be aligned on, thanks to their regular check-ins. By collaborating with the GC on effective board presentation techniques and strategies, the CISO can guide the board's attention and elicit valuable input on those questions or areas of concern. This approach ensures that discussions between the board and CISO are focused and productive.
5. Jointly establish a materiality framework ahead of time
Additionally, boards and CISOs should consider creating a materiality framework for cybersecurity incidents. By establishing agreed-upon criteria for disclosure purposes, both management and the board can assess the materiality of incidents before they occur. One suggested best practice that we discussed at RSA was to evaluate past incidents through this framework to provide valuable insights into what would have been disclosable based on the agreed-upon criteria, enhancing transparency and preparedness for the board and management. That in turn bolsters the relationship and trust between the board and CISOs even more.
In an era of increasing cyberthreats, boards must ensure that the mission-critical business function of cybersecurity is built into every layer of the organization, starting with directors’ ability to fulfill their oversight responsibilities. By empowering their CISOs with adequate protection, regular board check-ins, the prioritization of cybersecurity during and between board meetings, and aligning on materiality before a breach occurs, boards can strengthen the board/CISO relationship and foster a culture of cybersecurity throughout their organizations.
As one board member so eloquently noted, boards want to hear from their CISOs, and they need to hear from their CISOs. By empowering CISOs, directors can navigate the complex cybersecurity landscape more successfully.
