Cyber incidents and data theft are among the biggest business risks globally for the first time this year. As the risks increase, you would expect this subject to automatically receive higher priority in the boardroom. Yet in many companies, security is still seen as a cost for the IT department, rather than an important enabler of business strategy. As a result, the subject still does not receive the attention it deserves. In order to solve this problem and make security a standard part of the boardroom agenda, CISOs should take the following steps:
1. Business objectives first, technology second
The traditional CISO has a tendency to inform the board about all the technical possibilities available for optimising the company's security based on their IT background. As a result, boardroom members often regard security as too complex and complicated and tune out on the subject.
A good CISO will approach this in a completely different way. They will make sure they do speak the board’s language and know the board members well and personally. Because they know that this is the key to success. So a smart CISO first forgets everything they know about technology and security strategies and starts by questioning the board in detail about their ambitions and business objectives. They also ask which of those goals the company wants to prioritise. After all, if you know the business objectives, it is much easier to assess which business units contribute the most to those objectives. The applications and systems in these important departments automatically warrant increased security.
An additional advantage of this approach is that the board realises that – as a function of the investment they are willing to make – they themselves also have an important role in determining the security risk they are prepared to run as a company.
2. Drawing up risk profiles based on business objectives
Once the CISO has a clear understanding of company objectives, they can draw up security risk profiles for each business unit and link them to their security policy and the required security budget. This creates a top-down security approach. However, many CISOs fall into the trap of talking to the board about security from the bottom up, putting forward arguments based on their IT knowledge. Unfortunately, the technology metrics they present often mean little to the board members, causing them to lose interest quickly. So always choose metrics that demonstrate the contribution of security to the successful achievement of the business objectives. A good CISO prefers to keep all other metrics to themselves.
3. Define the required security level
Once the risk profiles are known for each business unit, the next step is to look at what level of security is required. Is it really necessary to patch every system in the facilities department every five days or is once a month enough for a less mission-critical department like this one? After all, patching less often is a lot cheaper.
Many companies wrongly assume that if the IT department has spent the security budget, security will be in order. Nothing could be further from the truth. In fact, in traditional IT security, 80% of the budget is often spent on 20% relevant security. By first looking very closely at the required security level for each business unit, the CISO can avoid this and achieve a balanced budget proposal for their security policy. This will have the immediate effect of increasing the involvement of the board, because this is the language the board understands.
4. Increase security maturity per business unit
As soon as it is clear which business units require increased security maturity, the CISO can get to work. Always start with a baseline measurement of the current level of security maturity. This baseline measurement can be carried out using the compliance models used internally or by hiring an external party for the purpose.
Then present some short and long-term objectives to the board, indicating how security maturity will be improved. Regularly share results with the board and make sure they are related to topics that are important in the boardroom, such as improving the company’s image and increasing employee satisfaction.
5. Make security an integral part of the business process
By systematically working to achieve these objectives, you will achieve a higher level of security maturity within the company. The ultimate goal is that security should become an integral part of the business process. This will allow the organisation to reduce time-to-market when building applications, improve the quality of products and secure increased competitive advantage. In this way, security will genuinely enable the company and the board to achieve their business objectives more quickly.
The balance between security and running the business
The ultimate challenge for any company is to balance the need for security with the desire to run a company as well as possible. A good CISO understands this dilemma. As a 'trusted adviser’, they must be able to communicate to the board the best way of striking that balance, with the company's objectives in mind. If the CISO succeeds in playing this role, security will never again be neglected in the boardroom.