Boardroom Strategy: Present Security Issues with Clarity and Ease

In today's digital age, the dependency of businesses on technology is more pronounced than ever, even in industries traditionally lagging in digital transformation. This reality is not lost on corporate boards, who are increasingly recognising the critical role of cybersecurity in their operations.

As a result, the role of the Chief Information Security Officer (CISO) is evolving. CISOs are now expected to operate at a board level, speak in terms that board members can understand, and apply broad cybersecurity principles that transcend industry boundaries.

This shift is reflected in the growing interest among corporate stakeholders to better understand the risk calculus of their technology stacks. SolarWinds, for instance, established a committee with additional board members to oversee IT and cybersecurity after a breach, serving as a case study for the role boards play in revising risk management following a cyber incident.

The CISO at Texas Children's Hospital, Gordon Groschl, underscores the importance of collaboration with other departments in addressing cybersecurity challenges. Teresa Tonthat, VP of IT and CISO of Texas Children's Hospital, finds that board members are now more engaged and proactive about cybersecurity. She uses the news cycle to educate her board about cybersecurity risks affecting other healthcare institutions.

Effective communication remains a challenge for many executives when it comes to cybersecurity. David Baumgartner, EVP, CIO, and managed solutions leader at Mandiant, recommends CISOs provide context and clear intentions when presenting to the board. Baumgartner also suggests using business terms, benchmarks, and comparative analysis to explain security needs to the board.

PepsiCo has integrated cybersecurity into its crisis management, setting a tone for the company to treat it as a regular business concern. The CISO of PepsiCo, Sara Andrews, emphasises the importance of considering cybersecurity in all decisions made by the C-suite, board, or employees.

However, the balance between answering all board questions versus only providing necessary information is a challenge for CISOs. Transparency is crucial, even when using tools to translate risk or folding security into overall business outcomes. Boards play a critical role in incident management and monitoring, making clear and concise communication all the more important.

In conclusion, the role of CISOs is evolving, with stakeholders wanting a better understanding of the risk calculus of their technology stacks. By operating at a board level, collaborating with other departments, and communicating effectively, CISOs can help their organisations navigate the complex landscape of cybersecurity risks and ensure that cybersecurity becomes a natural part of overall business goals, integrated with systemic risk management.