Kirsty Paine, Field CTO and Strategic Advisor, Splunk
The role of today’s CISO is complex and rapidly changing due to the dynamic challenges of the cybersecurity landscape. In fact, 86% of CISOs say that the role has changed so much since they became a CISO that it’s almost a different job. While their most critical priorities still revolve around defending their organizations against the threat landscape, CISOs are also emerging as strategists and leaders who now have louder voices in the boardroom.
In The CISO Report, Splunk, in partnership with Enterprise Strategy Group, examines emerging trends, threats and strategies for today’s Chief Information Officers (CISOs), Chief Security Officers (CSOs) and other qualified security leader equivalents.
In 47% of organizations surveyed, the CISOs are now reporting directly to the CEO, indicating a closer relationship with the C-Suite and their respective governing boards. This relationship is more common in Europe (54%), probably due to regulatory pressures and CEO liability for security. The C-Suite and board of directors are also relying more on CISOs for guidance across a sophisticated threat landscape and changing market conditions.
With boards of directors increasingly looking to CISOs to guide cybersecurity strategy, CISOs now have an opportunity to articulate value and fill in communication gaps. These relationships provide CISOs with the opportunity to become champions who strengthen an organization’s security culture and lead teams to become more cross-collaborative, resilient and better prepared for the future.
CISOs often speak a different language than their board
CISOs have never been more connected with their boards, yet in practice, CISO priorities are still not lining up closely enough with their board’s priorities. Eighty-four percent of CISOs maintain that their board or governing body cares more about regulatory compliance than security best practices. Thirty-one percent say that projects have been delayed due to lack of funding while 30% say that the security team was unable to support a business initiative.
CISOs and the board work to align on success metrics
CISOs and their boards are not fully aligned on success metrics. Only 20% of boards rate “ROI of security investment” as a measure of success, yet 27% of CISOs surveyed said that they prioritize reporting the ROI of security investments - meaning successful advocacy will require some adjustment.
To build on the effectiveness of their relationship with boards, CISOs need to change their approach. CISOs shouldn’t underestimate their boards - they understand money, loss and risk - so it’s important to speak in those terms. CISOs can start by acquiring soft skills and learning their language. They can transition to communicating the value of security teams regularly in non-technical terms that can be understood by a diverse range of stakeholders; for example, how much annual revenue is protected by obtaining various security accreditations.
Cybersecurity is a board-level priority
CISOs are changing their focus towards the business and formalizing their executive roles. Many CEOs now consider security to be their top risk, with compliance coming in second, meaning that CISOs are gaining parity with CFOs, and security issues are deemed as important as financial issues.
Organizations are integrating security into their existing business systems and processes. A vast majority of organizations (78%) now report having a subcommittee or audit committee focused on cybersecurity, privacy or cyber risk. For a long time, CISOs have been driving change in security culture within their respective organizations, from improving employee awareness to building security requirements into software development and business decision-making. Now they have the ear of the board and dedicated committees to challenge them, it’s time to use this influence to uplift the security maturity of the organization.
The front lines of change
The data in this report makes it clear that CISOs have more face time and influence with CEOs and boards than ever before. And little by little, CISOs and their boards are learning to speak the same language. As CISOs look ahead, their focus should be on communicating at the business level, leveraging their influence, and collaborating with teams across their organization to build more resilience. With more influence, budget and mandate than ever, it’s crucial to use it and level up security maturity, before boredom sets in.
Kirsty Paine is a Field CTO and Strategic Advisor for Splunk.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.