Delinea | Privileged Access Management Blog

CISO Report: IT Security Performance Impacts the Boardroom

Written by Joseph Carson | Jan 28, 2020 8:00:53 AM

Cybersecurity has become a frequently debated risk, and according to the World Economic Report is a top-5 risk to world economies and stability. It’s slightly behind other risks such as natural disasters, failure to mitigate climate change and extreme weather.  Cybersecurity now impacts almost everyone globally, exposes us to significant risks, and has quickly become everyone’s responsibility—including the boardrooms’.


The cyber threats are impacting the boardroom

Cybersecurity is such a hot topic that it remains consistently in the news. Governments have appointed strategic think tanks to establish cybersecurity strategies for both defense and offensive capabilities. New global conflicts include a cybersecurity threat.

Company executives are concerned they’re going to be the next news headline, joining other significant data breaches such as TalkTalk in 2015 in which the CEO departed 18 months later. The Equifax data breach in 2017 saw the CEO, CIO, and CSO leaves the company within a few months following the breach. Equifax faced a congressional hearing and incurred costs over $1 Billion USD.

Cyber awareness must be a boardroom priority

The boardroom can no longer ignore cyber threats, and in this technology-driven world must lead in order to reduce the risks from cyber-attacks.  Cyber awareness must be a boardroom priority in 2020 and everyone concerned must be ready to respond to a cyber incident at any time.

Technology is everywhere, and the cyber risks are increasing

In the past 20 years companies globally have become very dependent on technology, no matter the industry they are in (cars, vacuum cleaners, light bulbs, fridges), which means they are exposed to cyber threats that can occur at any time and from anywhere.

Cyber threats like ransomware have long been a popular technique used by cyber-criminals and continue to disrupt many companies’ services. They cause millions of USD in costs and were named a top threat in the 2019 Verizon Data Breach Investigations Report.

Read Delinea’s blog on the Key Takeaways from the Verizon DBIR 2019 here.

As a result of threats like this, IT Security has finally entered the boardroom as executives look to reduce their growing risks. Cyberattacks never sleep or go on vacation, so executive boards must understand that a cyber-attack can happen at any time, and be prepared for it.

Many companies have raised the priority level of cybersecurity and increased investment, and more companies now include their CISO on the executive board. Yet many still haven’t implemented even basic cybersecurity best practices, such as enterprise password management, multi-factor authentication, or Privileged Access Management.

More companies now include their CISO on the executive board

The CISO has one of the most difficult and challenging jobs in any business today.  They are typically hidden in the background of the organization, working vigorously with their security and operation teams to keep the critical systems and sensitive data protected from bad actors and cyber criminals. They keep systems updated, patch around the clock, deliver cybersecurity awareness training, control, and secure privileged access. These are just several of the tasks the CISO has to tackle, not including the ever-growing compliance and regulations that the business must meet.

“Communication can be the difference between getting fired or achieving security goals and budget” – Jeff Moss aka Dark Tangent (DT)

Information Security Metrics are elusive

Information security metrics are of great value to the business but pose a challenge to both the CISO and the executive board.

In August 2019 Delinea-sponsored research was conducted with more than 550 IT decision-makers across the globe, including the US, UK, Germany, Australia, and New Zealand. The survey presents an insider’s view of how cybersecurity executives are managing the unique demands of their jobs.  The report revealed that CISOs struggle to find appropriate metrics and measure business alignment.

What matters to the CISO in 2020? It’s that they show business value in order to grow the much-needed investment that turns security initiatives into business success. To start this journey, the CISO must get closer to the business and become an engaged listener. By listening to their peers they can align security projects with their work colleagues’ business goals.

Cybersecurity is all about communication, and that means going beyond successfully communicating to the executive board. CISOs and security pros need to become better communicators but also engaged listeners.

Proactive security projects must become a business goal and a CISOs Priority

Proactive security projects should focus on how they help the business reduce risks, improve processes or help employees be more effective and efficient while being cyber-safe.  Projects such as patching systems, updating software, or adding new firewalls, are just keeping the status quo or are simply the minimum effort. However, proactive security projects like reducing time for employees to access applications or data (such as Identity and Access Management solutions combined with Privileged Access Management,) can aid employees to be more effective and cyber-safe, and reduce the risk to the business from cyber threats.

Security projects that reduce wasted time or that help accelerate a company to pass a compliance audit will prove business value and show a strong ROI to the business.

Failure to align security projects to the business will mean failure for the Executive Board, not just the CISO

A company that fails to prioritize information security projects and align them to the metrics of the business could have severe consequences in the future.

The C-suite, such as the CEO, CIO, CSO, and CISO, are now being held responsible and accountable for failure to protect the business from cyber-attacks. The CISO and the C-suite must work together and agree on how cybersecurity impacts business value and business initiatives. Is the boardroom enabling and empowering the CISO to be successful by providing them with the resources and budget required to reduce the risks and threats that cyber-attacks have on the business and employees?

There are multiple implications for failure to protect the business from cyber-attacks. Consequences include longer working hours, pressure from shareholders, the threat of losing their job, and even financial impacts like losing bonus payouts. So, the board is now jointly concerned about cyber threats. The only way to reduce this risk is to reach a common understanding with the CISO on the best way forward, making cybersecurity key performance indicators an important guide to success.

Coordinating metrics across the boardroom can position CISOs as positive contributors to the business

Security teams have become disconnected from the business while focusing their attention on immediate security threats. They have become simply reactive to all cyber threats and incidents, while sometimes attempting to demonstrate value by measuring technology success. But this has little to no correlation with business success and therefore fails to make a positive impression on the executive board or employees.

Here are several metrics that need to evolve to demonstrate business value:

  1. Focus on risk avoidance. Change to security incident impact measurement. The number of security incidents is a metric that is a waste of time and of no value to the business.
  1.  Focus on education. How many employees clicked on a simulated campaign phishing link? Don’t bother. Instead, change to how many employees detected and report phishing.

To learn more about what key skills make a CISO successful when it comes to business achievement check out Joseph Carson’s Forbes Article: CISOs, Stop Focusing on Cybersecurity