How CISOs can secure a strategic partnership

Building a secure future –as partners

In today’s hyper-connected world, a strategic relationship between Chief Information Security Officers (CISOs) and their boards of directors is critical. It enables organizations to better prevent, respond to and recover from incidents and helps mitigate cyber-risks. Board members and security leaders tend to approach security from their own vantage points. Building a strategic partnership, however, requires aligning their viewpoints to determine the best way to support the overall organization. Our research revealed a group of security leaders who have successfully built supportive, trusting and communicative partnerships with their boards, enabling a clear focus on the greater needs of the business.

Although not yet a fully mature business process, cybersecurity is and will continue to be a board room issue. As cybersecurity ingrains itself into the strategic agenda of boards of directors, challenges are emerging and successful practices are being codified. Today, CISOs and other security leaders are faced with increased personal responsibility. They not only have to manage their own teams and operations, they must also guide and advise their C-suite, as well as educate and collaborate with their boards of directors – who may have varying levels of experience and knowledge on the topic.The relationship between boards of directors and security leaders is an important one that needs more care and attention. According to a recent Harvard Business Review study, among 23 board processes assessed, those related to cybersecurity were rated dead last in effectiveness by directors surveyed. For this to improve, interactions between CISOs and their boards need to occur more frequently – and time spent together must be used more effectively. Some CISOs appreciate this need for more face time with directors. According to a study by the Enterprise Strategy Group (ESG) and Information Systems Security Association International (ISSA), 44 percent of information security professionals surveyed believe that CISO participation with executive management is not at the right level today and should increase in the future.3 Work needs to be done on both sides of the equation.

In researching this important issue, we didn’t stop at simply identifying the problem; we dug deeper to understand what is really happening between board members and security leaders worldwide:

• Are board members and security leaders on the same page?

• Are boards supportive of their security leaders and providing them enough time and resources?

• Are security leaders providing their boards enough education and expertise?

• Do security leaders have a mutually beneficial relationship with their boards – one that enables them to make well informed decisions?

• What are the benefits and barriers in the relationship? • What kinds of frameworks, tools and communication methods are being used to manage cyber-risk?

Seeking answers to these questions, we surveyed over 300 board members and 300 security leaders in 28 countries representing 18 industries about their views and practices. In the process, we identified a group of security leaders whose approaches have enabled strategic partnerships with their boards and helped increase their value to the business.