Boards will increase spending on cybersecurity, but only if they see wider benefits to the business, according to CISOs.
Speaking on a keynote panel at Infosecurity Europe 2022, they argued that organizations need to see more than an absence of successful cyber-attacks to justify spending on personnel and security tools. They need to know that the spending is supporting business goals, or in the government and not-for-profit sectors, delivering value for money.
In addition, CISOs need to switch their language away from technical discussions around vulnerabilities. Instead, the conversation should be around business risk and the issues the board cares about.
In the legal sector, boards emphasize protecting their firm’s reputation, and being trusted to protect client data, said Toks Oladuti, global deputy CISO at law firm Dentons. That reputation also feeds into the firm’s commercial success. “We have KPIs around what we are doing to assist the company to win new business,” he says. “Organizations have invested a lot over the last decade in technical capabilities. What the board expects is results.”
Samantha Hart, CISO at professional services firm Davies Group, pointed out that boards are trying to quantify risk, including in the cyber domain. If all a CISO can show is that the business has not been breached, “that is not a very enticing story for my money and headcount,” she conceded. This includes being transparent about the cost of security failures.
Outside the commercial sector, CISOs report similar experiences. Jon Townsend, CISO at the National Trust, said that there is little point in talking to boards about “vulnerabilities and CVEs.” “It is completely meaningless to people who don’t work in our sphere,” he admitted. Instead, arguments for resources need to be linked to business outcomes.
“We are a charity, and we are accountable to our supporters,” he said. This includes monitoring risks across a supply chain of some 28,000 businesses, ranging from sole traders to multinationals.
Panel chair Paul McKay asked the panel to share their lessons learned.
Townsend advised CISOs to “be curious” and take nothing at face value, whether talking to suppliers or colleagues internally.
Hart said that CISOs need to focus on quantifying risk, as that is increasingly where boards are moving.
Oladuti suggested that CISOs need to take time out to understand the business and what is important to the board and leadership. “That is helping me gain a lot of traction,” he said.