CISO Guide: Board and CEO engagement ... mindsets CISOs need to change

The CEO is the chief risk officer for the company. Cybersecurity has become a boardroom issue. We need to ensure that every board member understands the implications of cyber security and what it means for the future of our company.

Does having a seemingly disengaged leadership lead to lax security behaviours and a greater chance of being breached?

In this Istari report, titled ‘The CEO Report on Cyber Resilience’, it is revealed that whilst CEOs and board members understand the importance of cyber security protocols and advice, most CEOs (72%) said they were not comfortable making cyber security related decisions.

To take your board members on a journey from a point of hesitancy to a point of active, informed security advocacy, we need to fundamentally change the way they think about cyber security and the security behaviours they practice.

In today’s article, we will be analysing the behaviour change that security leaders need to encourage at the top to see benefits trickle down through their organisation, why cyber security needs to translate into cyber resilience and the mindset changes we need to see at board level.

Why do CEOs need to take cyber security seriously?

In the past, cyber security may have been seen as an operational responsibility. However, in recent years, cyber attacks have been causing significant financial damage, reputational damage, and the breakdown of stakeholder relationships for organisations.

According to a report by Check Point Software, cited here in Digit News, there was a 38% increase in global cyber attacks between 2021 and 2022, with the UK seeing a massive 77% rise. Furthermore, Business Wire states that 81% of global organisations experienced increased cyber threats during the COVID-19 pandemic and Deloitte stats 91% of organisations encountered at least one cyber incident or breach.

As a result, executives are now evaluating the strategic risk of their cyber security infrastructure and their employee behaviour culture. Managing cyber security risk and building resilience has become a core part of any CEO’s leadership responsibility.

In fact, in Istari’s report, they conclude: “Enterprises today need to move beyond simply shoring up their cybersecurity defences to the more complex but critical task of building organisational cyber resilience. Meeting this challenge requires, above all, CEO leadership.”

The statistics point towards a slow but important change in how CEOs view their organisations’ cyber security. In Deloitte’s 2023 report, titled ‘Global Future of Cyber Survey’, they revealed that 70% of CEOs and C-suite executives now include cyber as part of their board’s agenda on a quarterly basis. Can we increase this percentage and the frequency of cyber security conversations at C-suite level?

Cyber security vs Cyber resilience

Traditionally, when security leaders are pitching cyber security programmes and awareness campaigns to their board, they may unwittingly use acronym-heavy language that executives associate with technical roles. This is daunting for business executives, creates a barrier for understanding and often leads to a disconnect between the security team and board members.

The goal of any CISO, when talking to their board, is to contextualise cyber security as cyber resilience. Moving thought leadership from a cyber security protection mindset to one that understands the importance of cyber resilience is a substantial change in perspective, but it is imperative if you want long-term board buy-in.

Cyber resilience activities can also be more beneficial than compliance-based and often-forgotten cyber security training; a report by the World Economic Forum (WEF) concludes that “Cyber security focuses on protecting data, but it is no longer sufficient; businesses need cyber resilience.”

CEO mindsets that you need to change

1. Accountable to Responsible

In the Istari report, 37 CISOs were asked if they thought their CEOs would feel accountable in the case of a cyber attack … 50% of European CISOs do not think their CEOs feel accountable, whilst 30% of American CISOs also felt the same. Interestingly, the same report asked the CEOs if they felt accountable … to which 100% of CEOs said they felt accountable for cyber breaches.

The disconnect we see here comes from a fundamental misunderstanding of accountability and responsibility. CEOs are often the face of their organisation and see being the ‘face of the mistake’ as being accountable. However, for CISOs, accountability goes hand in hand with responsibility. Real accountability comes only if you are jointly responsible for the practices and protocols. This means CEOs should not entirely compartmentalise security decisions; they need to be co-responsible as well.

Now, co-responsibility does not just mean being the public face of a cyber breach. It means playing a direct role in cyber attack prevention and preparation. When a CEO plays a direct role in preparation, it can increase their appreciation of the complexity of cyber attacks and the ramifications of a breach. Co-responsibility, as opposed to accountability, also reframes the CEO’s role from just taking the blame for attacks to being an active part of the security solution on a continuous basis, not just when your organisation is in peril.

2. Delegated trust to Informed trust

In the same report, 72% of CEOs said ‘No’ when asked if they feel comfortable making cyber security decisions. This can be partly attributed to the technical complexity of cyber security and how difficult this can be for business executives to grasp. This is where delegated trust comes in: CEOs cannot expect to be an expert in every topic, so they must trust others’ expertise. This is why you have different teams in an organisation handling what they are proficient and trained for. However, should delegated trust be followed in relation to cyber security?

When a cyber attack happens, the reputation and status of an organisation – no matter how big or small – is in the hands of the security team and CISO. Often, these employees operate further down the decision-making hierarchy. Does it make sense for a CEO to delegate blind trust to the security team in the case of a cyber attack? No. CEOs need to inform themselves on cyber security properly before an attack occurs. If they do not, they will be relying on their security team without fully comprehending what they are talking about. This could lead to an even bigger fallout.

Blind delegated trust needs to transform into informed trust. CEOs need to be curious about cyber security as threats are always evolving and new risks are always being birthed. CISOs need to make it easy for CEOs and board members to ask questions; board-specific webinars can be used to help the CEO and board members stay informed of their organisation’s cyber security. Educating CEOs on cyber threats and risks will lead to a change in behaviour and inspire cyber resilience by creating a baseline of security understanding at the top of your workplace structure.

However, we know that it can be difficult to reach this position as a CISO, especially if you are working with only internal resources. This is why using a trustworthy team of external advisers or consultants, who run behavioural reports and security analysis, can be another way to achieve the informed trust of your board.

3. The Preparedness Paradox vs Always be ready

A 2022 survey by Marsh and Microsoft found that 43% of organisations have conducted risk assessments of their supply chain, 64% have increased cyber risk investment and 61% have bought some form of cyber insurance coverage – but is being prepared the wrong mentality altogether?

The preparedness paradox is the idea that the better prepared an organisation is for a cyber attack or crisis, the less likely it is to experience one. This concept is based on the observation that investments in preparedness, such as security infrastructure improvements, incident planning, and training, can reduce the frequency and impact of a cyber attack.

However, the preparedness paradox also suggests that the success of these investments can lead to complacency and a reduction in the resources allocated towards preparedness. In other words, the more effective preparedness measures are, the less people may believe that a disaster is likely to occur, and the less likely they are to invest in future preparedness efforts. This can create a cycle where preparedness measures are implemented and then neglected when they are successful leading to complacency, jeopardising the organisation’s resilience.

So, how do you stay prepared but not become complacent? You must think of preparedness as an ongoing responsibility and not an end point. Have the following mindset: “I can never be too prepared.” Maintaining a long-term perspective on preparedness and continually investing in resources to maintain and improve preparedness measures, even when the immediate threat of disaster may seem remote, will cultivate a cyber resilient mindset.

At TSC, we always rail against ‘ticking the boxes’ and resting on your laurels; cyber criminals and threat actors do not rest, and they are looking for the next innovative way to trick your employees and breach your organisation. CEO’s need to shift from a mindset of understanding that you can never be fully prepared, but you can be ready and refreshed on a regular basis.

4. Security sieve to Security safe

Many CISOs keep cyber security matters away from the board and CEO. It is true that there is often a split between the focus of the board and, say, the security team; whilst the board values business, continuity and reputation, the security team values operational and technical status. So, when engaging the board, as a CISO, you need to bridge the gap by raising awareness and developing security knowledge. Board members need to move from being security information sieves to security information safes.

You can do this by running board-specific presentations or a cyber security forum on a regular basis so that board members can ask and get responses to any questions they have about cyber security.

Some organisations are already practicing this, with the National Association of Corporate Directors (NACD) revealing that 58% of boards they surveyed have increased the number of discussions they have had about cyber security, whilst 79% of boards surveyed are even reporting having a cyber security expert as a board member. However, not all leadership teams are being as active as this.

Often board members have a bunch of questions about cyber security and how their organisation is staying safe from cyber threats, but they may not have the technical knowledge or understand specific nomenclature to start discussions on the topic. When you create a space where they can openly query cyber security amongst their peers, you will find them far more receptive to your cyber security concerns, eventually empathising and understanding the scale of them.

CEO thoughts: what do CEOs and board members think about cyber security?

If your CEO and/or board members only respond to like-minded or similarly positioned leaders, then you should inform them of how the world’s biggest and brightest leaders are increasing their stock and focus on cyber resilience:

Cyber security is a top priority for us, and we take it seriously. We are constantly monitoring and improving our systems to stay ahead of the evolving threat landscape. Even as the digital landscape grows larger and more complex, we remain guided by our core belief that cyber security is about empowering people. As CEO, it's my job to be thinking about cybersecurity all the time. It's not just a check-the-box exercise. It's not just hiring a CISO and saying, 'We're done here.' It's a constant process of vigilance.

Cyber security is no longer just an IT issue, it is a business issue. Boards and executive teams need to take a proactive approach to managing cyber risk and ensure that cyber security is integrated into the overall business strategy.

CEOs and boards need to recognise that cyber security is not just a technical problem, but a risk management issue that needs to be addressed at the highest level of the organisation.

Cybersecurity is not an IT issue, it is a business issue. It is critical that the CEO and board of directors are informed and engaged in managing cybersecurity risks.

These quotes highlight the importance of CEOs and board members being informed and engaged in managing cyber security risks and setting the tone at the top for a culture of cyber resilience. They also emphasise the need for a constant process of vigilance and collaboration between the board and management to ensure that the organisation is well-prepared to withstand the evolving threat landscape.

Last thoughts

It does appear as if CEOs and board members are re-evaluating the importance of cyber security and the risks they face every single day. However, there is still room for improvement in terms of implementing formal strategies, changing security mindsets at leadership level, and increasing the board’s engagement.

CISOs play a critical role in engaging CEOs and board members with cyber security. By shifting mindsets, contextualising cyber attacks, and transforming cyber security into cyber resilience, CISOs can create a more proactive and collaborative approach to cyber security. This requires developing and building a culture of continuous improvement, where cyber security is embedded into the fabric of the organisation.

Cyber resilience is about more than just preventing cyber attacks; it is about building the resilience to respond and recover quickly when they occur. By working together, CISOs, CEOs, and board members can help ensure that their organisations are well-equipped to withstand the evolving threat landscape and protect their most valuable assets.

If you would like more information about how The Security Company can help you to engage board members and C-suite executives with cyber security ... or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.