4 signs the CISO-board relationship is broken (and 3 ways to fix it)

When veteran cybersecurity leader Christopher Hetner wanted to build up trust with his company’s board, he sought out his C-suite colleagues to first better understand their work and security needs.

“I had to build the trust with the business and understand their mindset, how the business operates and what drives profit and risk posture,” he says. He notes that while senior vice president of information security at Citigroup he physically sat alongside the CFO as the CFO worked to educate himself on what drove the company’s growth.

Hetner says such outreach is needed for security executives to move beyond the technical part of their role so they can better assist with their organization’s overall strategy and offer the kind of advice that the board will trust and value.

“CISOs are more comfortable with technical-driven metrics and having a technology dialogue with the board, so they’re not presenting to the board the business risk through an economic exposure. I wouldn’t discount the importance of some of the technical metrics, but you have to go with the ‘So what? factor,’ the ‘Here’s the downstream impact.’ That’s a different type of dialogue,” says Hetner, managing director of cyber-risk security consulting at Marsh and special advisor for cyber risk at the National Association of Corporate Directors (NACD). Hetner is also a former senior cybersecurity advisor to the chairman of the U.S. Securities and Exchange Commission.

Why trust matters

More and more CISOs are presenting to their organization’s boards of directors, yet researchers, executive advisors and experienced security leaders like Hetner say while great presentations are required, they’re not enough.

 “The objective is to gain the board’s trust, so the CISO can get their backing when he’s seeking to do hard things,” says John Pescatore, director of emerging security trends at the SANS Institute, a nonprofit that specializes in security and cybersecurity training.

They say establishing trust is the higher aspiration for organizations that want to elevate their security function to a strategic level, to a full C-suite partner whose expertise will influence leadership’s strategic decision-making.

“When the board trusts the CISO, the CISO can do better, move quicker, act in the way they need to and get the funds they need. That’s critical, because cybersecurity risk is so dynamic. It requires CISOs to adjust the strategy and operating model very quickly. And if the CISO doesn’t have the support of management and the board, he or she can’t do their job,” says Kris Lovejoy, the global cybersecurity leader at professional services firm EY/Ernst & Young LLP.

Increasing oversight belies “limited understanding”

Company directors do indeed recognize the importance of security. The nonprofit NACD in a recent survey of more than 500 public company directors found cybersecurity threats listed among the top three trends that will have the biggest impact on their companies, just behind regulatory changes and economic slowdown.

Global research and advisory firm Gartner Inc. finds it similarly top of mind, reporting that by 2020 the boards of all large enterprises will expect at least annual reports from their executives on cybersecurity and technology risk – an increase of 40% from 2016.

However, experts say there’s a real disconnect between security leaders and the board.

The EY Global Information Security Survey 2018-19 found that 28% of the 1,400 global c-level executives surveyed say the board/executive management team has no “comprehensive understanding of information security to fully evaluate cyber risks and preventive measures” with another 31% saying it has a limited understanding; only 39% say the board/executive management team has the comprehensive understanding needed to fully evaluate risks and prevention.

Furthermore, it found that only 18% of organizations make information security a strategic agenda item, with another 55% saying security influences business strategy only somewhat or not at all.

“The boards say they feel as if they’re hearing that everything is OK. They’re getting reports from the CISO about a maturity framework with red, yellow and green coding on where things are, and they don’t necessarily understand what they’re seeing, and they’re uneasy,” Lovejoy says.

Other experts offer similar observations, saying CISOs too often give overly technical presentations to the board, offering as proof of success security-industry metrics that don’t offer any insight on business impact. They talk about the number of phishing attacks stopped or viruses blocked, the high rate of patching and other such measurements.

“That’s not a message that resonates with the board,” Hetner says.

Signs of trouble

To be fair, though, CISOs shouldn’t shoulder all the blame. Board members also have an obligation to educate themselves on security topics and how those fit into the strategies they oversee as well as to understand how they can best support the security function in their organizations.

“Creating that trust is a two-way street. The CISO wants to know the board believes in what they’re doing, and the board wants to know what the CISO is doing. So they have to work together to set expectations for the CISO to meet,” Lovejoy says, adding she doesn’t see outright distrust as much as she sees boards feeling uneasy in the relationship they have with the security executive.

Here are four signs that the CISO doesn’t have the board’s trust.

Not presenting to the board A glaring sign of trouble is the absence of any regular CISO presentations to the board. “If you’re not presenting to the board, when someone is doing it for you as a proxy, that’s a simple tipoff,” Lovejoy says, adding that CISOs should present directly to the full board at least once a year – in addition to quarterly presentations to a relevant oversight committee (usually the audit committee) if not the full board itself.

Lack of discussion Hetner says a lack of discussion following those presentations is another sure sign the CISO doesn’t have a strong relationship with the board. “The lack of effective challenge is an indication that it’s not only the CISO but also the board’s [ineffectiveness], that the board isn’t equipped to provide that effective challenge to the CISO,” he explains.           

Fielding the wrong questions Another indication of trouble is when CISOs find themselves answering board member questions that are focused on what Lovejoy calls the “wrong metrics” – if they’re trying to understand technical measures, for example. “That’s a good indication that they don’t understand what you’re describing,” she says.

Being left out of early conversations CISOs who aren’t frequently connecting with their c-suite colleagues to contribute perspectives on business strategies also don’t have the board’s trust, Lovejoy says. “If the CISO isn’t being brought in early to be part of the discussion around strategy upfront and early, that means the CISO isn’t relevant enough to be a consultant on risks for transformative moves,” she adds.

Recommended fixes

There are several key moves that CISOs can make to build up the trust between themselves and the board, according to research and expert experience.

Know your company’s risk tolerance  To start, CISOs should make sure they’re on the same page as the board when it comes to the organization’s tolerance for risk – something that many organizations have not explicitly established.

“I have personally seen over the years and daily hear from my peers across the sectors that they feel like the board is doing check-the-box or what is the minimum standard,” says Rebecca Wynn, head of information security and the data protection officer with Matrix Medical Network in Scottsdale, Ariz.

NACD’s own findings speak to the disconnect between boards and their security leaders on this point, reporting in its 2019 Governance Outlook: Projections on Emerging Board Matters that 70% of respondents to its annual survey of public company directors said they need to better understand the risks and opportunities affecting company performance.

If a clear articulation of the board’s appetite and tolerance for risk is lacking, Lovejoy recommends CISOs initiate the conversation: “The CISO should say, ‘I can work toward whatever goal you establish but I need that goal post.’” CISOs then need to better articulate how their security team is doing against that established goal.

Communicate exposures in a business context Hetner says CISOs need to be fully transparent in what exposures exist across the enterprise, explain the potential obstacles to advancing the cybersecurity program and communicate how cyber risk can be realized across the enterprise – all of which should be done with a business context.

“And by that, what I mean, is an understanding and assessment of cyber exposure through an economic lens and how that drives the prioritization of risk management,” Hetner explains. “It’s an evolution for CISOs [who should have] business acumen, strong effective communication skills, and apply all these skills in cybersecurity through a strategic lens.”

Establish connections Others advise CISOs seeking to build up more trust with the full board to make connections outside their regular presentations. Pescatore points out that other c-suite leaders often connect with board members between meetings, giving them a heads-up on major items and building up a strong rapport during routine times that can help them work better together during tough stretches. “Boards fire CFOs, for example, they don’t trust. It’s not because they had a bad quarter. They know bad things sometimes happen,” he adds.

Wynn concurs with the need to build up relationships approach, saying “The CISO needs to find a true sponsor or champion on the board to assist him/her in moving forward with initiatives.”

Furthermore, Wynn recommends that CISOs do some work beyond their scheduled meetings to determine how best to break through any barriers they have with their boards.

“You need to be with the leaders, learn their communication style, what their strategic and tactical plans are for the years, and how you can best support them. If they are not open to your partnership then keep the communication open but seek out other partnerships,” she adds.