“When boards and CISOs engage successfully, organizations are better able to take advantage of the opportunities presented by cyberspace and today’s information technology while addressing the associated risk,” said Michael de Crespigny, CEO at the ISF, in an emailed statement. “To manage the risk/reward balance, CISOs must drive engagement across their organizations, changing the conversation to convey the value of information security to the organization – in terms that resonate with top decision makers and align with business objectives.”
The ISF noted that cyberspace is continually evolving: its potential and threats, vulnerabilities, complexity and interconnectivity are always changing. The threat is also asymmetric, as activists, cybercriminals and nation-states disproportionately increase traditional information risks. Against this backdrop, CISOs should ensure information strategy and risk should sit comfortably with other types of strategy and risk that the board oversees.
“CISOs need to lead and drive engagement with the board – and start by changing the conversation,” continued de Crespigny. “They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CISOs must change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee. As information security leaders, we have to shape the way we talk about information risk management for each audience.”
The ISF’s latest report, Engaging with the Board, explained there is no straightforward path to board engagement. Research for this report uncovered a wide range of hazards, from CISOs lacking personal credibility to not adequately preparing the board for the message. Organizations, their boards and committees are complex – involving personalities, power, relationships and unwritten rules. Navigating this organizational jungle, with its many moving parts, requires ingenuity, careful preparation and ongoing effort, the ISF warned.