CISOs Drive Changes with Cybersecurity Committees
Is our cybersecurity investment enough? While the answer may be complicated, it’s something Chief Information Security Officers (CISO) are regularly asking, along with other important discussions they’re having in the boardroom. And they’re not speaking into the void.
According to research published by Splunk this month in The CISO Report, 78% of the 350 CISOs and other security leaders surveyed say there is a dedicated board-level cybersecurity committee at their organizations. This allows for a higher level of understanding among those involved in making decisions regarding cybersecurity procedures and investments.
Cyber Risk Equals Business Risk
The research focused on the changing responsibilities of CISOs, especially as they look for new ways to fill security gaps and mitigate organizational risk. It found that boards and CEOs rely on them for guidance and are willing to collaborate on solutions. That’s good news.
However, the report also found that while CISOs’ and their board’s priorities are moving closer together, there is still some misalignment, with 84% of CISOs maintaining that their board or governing body cares more about regulatory compliance than security best practices.
“Regulatory compliance is very important and mandatory, but security best practices change much quicker due to new evolving threats,” said Ron Bebus, CIO, CISSP at PrivaPlan. “CISOs must be constantly adapting to the new threats to protect the enterprise.”
Still, the pendulum is swinging in the right direction, as 93% of CISOs say they expect an increase in their cybersecurity budget over the next year. Since 86% of CISOS said their biggest responsibility is to ensure their governing body/board sees value in funding security investments, their efforts are paying off.
CISOs Expand Their Influence in the Boardroom
Another recent survey conducted by Proofpoint reinforces the improved relationships between CISOs and boards. “Cybersecurity: The 2023 Board Perspective” is based on the survey results of more than 600 board members. Fifty-three percent of directors say they interact regularly with their security leaders. That’s up from 47% in 2022. Boards and CISOs are also in better agreement when they interact. Nearly two-thirds (65%) of board members surveyed reported seeing eye-to-eye with the CISO.
“The days of IT staff using ‘tech-speak’ and focusing on technology only are long gone,” Bebus said. “CISOs must be able to communicate and educate the entire organization on security best practices. The constant bombardment of news about security breaches has opened the ears of C-Suite and board members; now is the time for every CISO to present clear messages on how their organization can be fully prepared against today’s and tomorrow’s threats.”
In a company blog, Splunk’s Vice President and Chief Information Security Officer Jason Lee addressed similar findings of improved CISO/Board communications from The CISO Report. “As CISOs talk more to the CEO, CFO, and others in the executive suite, they discovered those leaders care about different KPIs [Key Performance Indicators] and security metrics today than they did two years ago,” he wrote.
The report showed that CISOs ranked ROI [Return On Investment] of security investment as the most important cybersecurity success factor, with results of security testing a close second. “If the investments boost the maturity of an organization’s cybersecurity program, that’s a quantified outcome right there,” Lee stated.
The bottom line is that board members are listening, and security leaders are able to use their growing platform to create the change they want to see in the industry.
PrivaPlan is also listening and staying up to date with the ever-changing security and privacy landscape. We’re also here to listen to you. Contact us today. Email info@privaplan.com or call 877-218-7707.
Check out our blog post about the top ten cybersecurity misconfigurations.