Cybersecurity governance and the CISO's dilemma

More about the podcast

In this episode:

• What are the main challenges and risks that CISOs face in their role, especially in terms of personal liability and legal exposure?
• How can CISOs balance the need to disclose cyber risks to the board with the potential consequences of doing so, such as increased scrutiny, blame, or dismissal?
• How can boards support their CISOs and ensure that they have the resources, authority, and protection they need to perform their duties effectively and securely?

Resources from this episode:

1. Diligent Institute Cyber Risk & Strategy Certification
2. Cybersecurity, Audit and the Board

Keep reading

Read the conversation with Jim Alkove in the edited excerpts below to discover CISOs biggest challenges, tactics that bridge the communication gap between CISOs and the board and more.

Dottie Schindlinger:

This show is listened to by many corporate directors and senior executives, and we are all acutely aware of the pressing challenge that cyber risk poses for boards and senior leaders. But let's set the stage a bit. There have been significant developments in this space over the past few years, such as the SolarWinds incident and the SEC's response, which has changed the landscape of cybersecurity governance and accountability. Could you talk to us about where we are today and how we got here?

Jim Alkove:

Certainly. To set the groundwork, the current reality for security professionals is incredibly challenging. The cybersecurity threat landscape has never been more complex, with a wide range of threat actors, including nation-state attackers. The globalization of the world has led to fewer norms around cybersecurity, making nation-state actors more active than we'd like. Additionally, cybercriminals remain highly aggressive, with ransomware attacks continuing to rise. Activists and hacktivists, particularly in today's polarized world, are also incredibly active.

The technological landscape that companies need to secure is vast and continues to grow. Companies' dependence on systems and data is at an all-time high, and as we move toward an AI-driven future, data is becoming even more critical. Companies now manage massive amounts of data and have accumulated significant technology debt. This means that security professionals are expected to protect highly sensitive data with aging technology stacks, which most companies possess.

This is the environment in which a chief information security officer (CISO) operates or will join. They must address the rising threat landscape and the mountain of technology debt to secure their organizations. Layering on top of this is the push for greater accountability in cybersecurity, driven by regulators in Europe and the U.S. This push is aimed at ensuring more transparency and accountability to customers regarding the protection of their data, which is a well-intentioned goal.

However, this push for accountability doesn't always consider the ground-level realities that security professionals face. Regulations can take effect overnight, but organizations need time to adapt. We are currently in a transitional period where the system is adjusting to new expectations, and it will take time to reach a stable state. There is a lot of fear in the system, especially among practitioners, about the changes happening from a governance perspective.

Dottie Schindlinger:

You're absolutely right. I'm thinking specifically about the case of the Uber CISO. There are significant challenges and risks that CISOs are facing in their roles. The expectations have never been higher, and the job has never been harder. What are some of the key challenges you see for CISOs regarding personal liability and legal exposure?

Jim Alkove:

I think any senior corporate executive has always had some level of liability, but the line between bad activity, fraud and incompetence is starting to blur. Now, someone who is judged to have done a poor job may feel personally and legally liable for the quality of their work. This creates a lot of fear within the practitioner community.

Another important aspect is that while CISOs often have a C-level title, they don't always have the corresponding empowerment or resources. Many CISOs lack employment contracts, and they don't always have the control over the resources needed to implement the necessary changes. People often latch onto the C-level title and expect C-level performance, but the reality is that not every CISO has the same level of support and empowerment.

This tension is significant because we are asking CISOs to drive the changes that regulators are looking for while simultaneously holding them personally and legally accountable. They don't always feel empowered to achieve the outcomes expected of them, but they do feel the weight of legal liability.

Dottie Schindlinger:

There are certainly long-term implications here, such as talent retention, career progression and mental health. What are some of the things that boards should be thinking about related to their CISOs?

Jim Alkove:

This is another challenge in the evolving role of the CISO. The expectations around liability and personal accountability are just one part of the equation. The job itself has become much more technical, requiring a higher level of technical expertise than ever before. At the same time, CISOs are expected to have strong business acumen, understanding compliance, regulatory implications, and personal liability.

When I transitioned from being a product executive to a CISO about ten years ago, the role was already changing. The technical and business demands have risen dramatically since then. I was fortunate to have a background in engineering, which helped me bridge some of the gaps. However, the role has changed so much that we are asking a group of people to adapt all at once, which is a significant challenge.

Dottie Schindlinger:

That's a lot to consider. I want to delve into the connection between CISOs and the board. Often, there feels like a chasm between the two. Board members sometimes say they don't understand what the CISO is talking about when they report, and the reports they receive aren't actionable. From the CISO's perspective, they must balance the need to disclose risks with the potential consequences, such as increased scrutiny, blame, or even dismissal. How do you strike the right balance here? It seems almost impossible.

Jim Alkove:

You're right; the answer lies somewhere in the middle. It's not reasonable to expect CISOs to simplify their reports to the point where general business directors can fully understand the technical intricacies without prior knowledge or education. Conversely, it's not practical for the board to become so technical that they can speak the same language as the CISO.

What we need is a bridge built through education and collaboration. Boards should have more technical representation, and non-technical directors should receive basic cybersecurity and governance education. This will help them ask the right questions and understand the risks and challenges. Board members are skilled at asking insightful questions, even in areas outside their expertise. By fostering a more informed and collaborative relationship, we can ensure that CISOs are supported in their roles while the board remains accountable and informed.

Jim Alkove:

And those questions lead to important discussions that drive change in organizations. We want that to happen. However, we also need everyone to seek out the education to better understand cybersecurity. At the same time, CISOs need to develop their business acumen and be able to speak in the context of business risk and financial outcomes.

The way boards expect most things to be presented is no different for security. They are allocating resources to achieve business outcomes, and while it can be challenging to map security outcomes to dollars and cents, a risk management-based approach can help bridge that gap. We need to grow the acumen of CISOs more broadly so they can speak the language of boards of directors. Diligent and others are pushing on both fronts, helping to educate both communities. This is crucial work, and I encourage everyone involved to take a breath, work together, and support each other to develop a common language.

Dottie Schindlinger:

So, I’d love to ask for some guidance from you for boards on the best way to support their CISOs. This is a really hard job, and these are very hard-working professionals. How can boards ensure that CISOs have the resources, authority, and protection they need to be effective in their roles?

Jim Alkove:

I think it comes down to asking the right questions. One of my favorite questions, which I used to get asked at the end of every meeting, was, "Do you have everything you need to be successful?" This was an open-ended question, not just about needing more money. It could be about training, mentorship, or even help with communication. I had an incredibly supportive CEO and board of directors at Salesforce, and it allowed me to see how well this can be done.

When you ask someone what they really need and they are willing to be vulnerable and share, don't see it as a sign of weakness. Instead, see it as a sign of someone who is introspective and genuinely trying to understand their needs. Maybe they need a vacation, but help them get what they ask for. This can foster a level of loyalty and hard work that will have a transformational impact on your company. Psychological safety is crucial, not just for the broader employee base but especially for these high-risk executive roles.

Dottie Schindlinger:

That’s really sage advice. On the flip side, how can CISOs do a better job of communicating and collaborating with the CEO and the board on cybersecurity matters? How often should they be doing this, and what are some best practices?

Jim Alkove:

Rapport is never built in the moment of a crisis. The first step is to take the time to get to know people ahead of time. With senior executives, it can be challenging to find moments to build relationships, but these soft skills and relationship-building efforts will go a long way when dealing with hard situations.

I encourage CISOs to map out all their stakeholders, understand what is important to them, and learn their communication styles. Find out who influences them in the organization so you can build complex influencing networks. If you find this challenging, consider getting a coach. Many big consulting firms offer this service, sometimes even for free as part of broader consulting engagements. I’ve found this exercise incredibly valuable and encourage others to do the same.

Additionally, invest in yourself to understand how to speak the language of business to the board. Get better educated on how to communicate risk issues as true risk matters and how to articulate their financial impact. There is a specific risk language that aligns with how bankers or business operators think about financial risk, and you need to bridge that gap. This will make you much more effective in communicating with your stakeholders and the board.

Dottie Schindlinger:

That’s some really sage advice. The last question I want to ask you before we wrap up is about the war for talent. I recently heard that there are around 3 million unfilled cybersecurity jobs globally. While not all of these are CISO roles, a significant portion likely is. This job is becoming harder and, in many ways, less attractive to top talent due to the pressure and challenges involved. Could you share some thoughts with this audience of directors and C-suite folks on appropriate ways to think about pay structures and employment agreements for CISOs? How can we reflect the true risk profile of the role and appropriately compensate people to do it well?

Jim Alkove:

From the board’s perspective, you should treat the CISO role as a key position in your organization. They should have an employment agreement that reflects the importance of their role. Ensure that the CISO reports to an appropriately empowered position within the organization, and give them the authority, budget, and decision-making power they need to be successful.

Don’t view this role solely as a technology position; it has a much broader remit. For your organization’s size and scale, and the level of person you’re looking to hire, make sure you’re paying them appropriately. Executive recruiting firms can provide salary and total compensation comparatives for your industry and geography, giving you a sense of what these pay packages look like.

Be prepared to pay for top talent. I often hear from recruiters and my network about mismatches between what organizations want and what they are willing to pay. Make sure your desire for talent aligns with your willingness to compensate. Before you start recruiting, work out these details for yourself.

From the CISO’s perspective, know your value. Understand your strengths and weaknesses, and be honest about your gaps. The role is elevating, and there are highly paid CISOs whose numbers are growing. If you invest in yourself and round out your skill set, you can step into the highest-paid executive ranks in corporate America. However, just having the title doesn’t mean you can demand top compensation. Deliver value first, and then you can have a conversation about resetting compensation expectations.

Lastly, it’s not selfish to demand a strong employment agreement, policy coverage, or a personal lawyer funded by the company. In situations like the SolarWinds incident, you need personal legal protection, and it’s reasonable for the company to provide this as part of your compensation package. I’ve mentored executives on adjusting their existing or new packages to include these protections, and if you ask for them the right way, organizations are generally willing to grant them.

If you're on the board, a CISO or a risk practitioner and ready to learn powerful strategies for aligning cybersecurity priorities with business goals, enhancing risk reporting and building stronger board engagement in cyber risk management sign up for our Cyber Risk Virtual Summit now.

Secure your spot today and join us in steering the future of cybersecurity across the globe.

• Register for the AMERICAS event here (February 5, 2025)
• Register for the EUROPE, MIDDLE EAST and AFRICA event here (February 5, 2025)
• Register for the ASIA-PACIFIC event here (February 6, 2025)