The Battle to Be Heard: Strategies for CISOs to Enhance Their Credibility with the Board of Directors.

Currently, managing a business has become increasingly complicated. The brief sense of relief following the pandemic was quickly overshadowed by rampant inflation, high interest rates, business uncertainty, and geopolitical volatility. In the midst of this landscape, the last thing an organization needs is the theft of critical information or the paralysis of its systems due to a cyberattack. This risk is amplified if a key supplier faces the same situation. A ransomware attack on a supplier of the NHS in June highlighted the devastating consequences that such a breach can have.

For this reason, CISOs (Chief Information Security Officers) in the country are struggling to advocate for the need to enhance cyber resilience. However, their task is not easy, as they first have to convince a skeptical board of directors, which can sometimes be hostile.

Cyber resilience involves addressing deficiencies in people, processes, and technology, ensuring that an organization can continue to operate effectively even if it is subjected to a prolonged and sophisticated cyberattack. This includes improving cybersecurity hygiene through best practices such as multi-factor authentication (MFA), regular security training, backups, encryption, anti-malware measures, and prompt patching. This "prevention" approach must be complemented by rapid detection and response to mitigate threats that may infiltrate and recover operations before significant damage occurs.

Unfortunately, this represents an increasing challenge, as the expansion of digital investments broadens the typical attack surface of businesses. Last year, half of the companies in the UK experienced at least one cyberattack or data breach, a figure that rose to 70% in medium-sized companies and 74% in large corporations, according to government statistics. Although ransomware is not the only threat, it has become the most significant, with the National Cyber Security Centre (NCSC) warning of an increased risk due to the use of artificial intelligence tools by malicious actors. This landscape has become an existential risk for some companies, as the loss of intellectual property or sensitive data of customers and employees can have a lasting financial and reputational impact.

Investment in cyber resilience should be a clear priority for CISOs, but in practice, the situation is more complex. For the cybersecurity strategy to work effectively, it is crucial that the security or IT leader is heard and understood. The board must support their vision and recognize the critical importance of properly managing cyber risk. However, research indicates that many boards remain uninterested, viewing cybersecurity only as a technological risk. Approximately 80% of CISOs report that the board would only act in response to a real incident, which often translates into ad hoc solutions that do not address the underlying challenges.

The lack of awareness about cyber risks also falls on boards. Although regulators are demanding greater personal accountability for cyber incidents, there is still much to be done. At the same time, some CISOs contribute to the problem by presenting irrelevant metrics and technical jargon, making it difficult to connect with a business audience that seeks clear answers about current security and how to improve it.

To close this credibility gap, it is essential for security leaders to simplify their communication, align cybersecurity with business risks, and establish clear objectives that are understandable to board members. A good strategy includes using appropriate metrics. By consolidating various solutions into a single cybersecurity risk management platform, it is possible to create a single source of truth for coherent and consistent reporting. Ideally, there should be a solution that calculates risk based on the attack surface, user exposure, and security configuration, in addition to the overall impact on the business. This would allow for continuous risk mapping and the implementation of automated actions to close emerging gaps, such as vulnerabilities or misconfigurations.

The results could be presented in an executive dashboard that facilitates the understanding of complex concepts like misconfiguration in the cloud or account compromise. This approach fosters better alignment between security and business objectives, which could, in the long run, enhance cyber resilience. Although the path may be long for some companies, the risks of not acting are considerably greater.