It can often feel like a cultural divide exists between security teams and the rest of the company. COVID-19 disrupted every day-to-day service for many enterprises, overloading already razor-thin budgets and personnel. Although many were already looking at a risk-first approach to cybersecurity, COVID-19 has taught them that it’s just not enough. Gartner predicts that by 2025, 50% of asset-intensive organizations will converge their cyber, physical, and supply chain security teams under one chief security officer role that reports directly to the chief executive officer (CEO).
The cultural divide between departments, especially between Chief Information Security Officers (CISOs), security teams, CEOs, and board directors, is dangerous. It can be detrimental to the business as a whole in what is quickly becoming a digital world. The attitude of IT teams and security professionals being surplus to an organization is dated and risky. By the time the rest of the C-suite executives recognize the error of their ways after a data breach, it’s much too late, and the heat of the whole incident will inevitably fall upon the CISO. It’s easy for CISOs to become a scapegoat in that situation, even if they’ve been pushing for a more extensive security budget or more employees.
According to Gartner, only 20% of chief technology officers have established critical partnerships with key market-facing executives in sales, finance, and marketing. And only 10% of cybersecurity committees are overseen by a qualified board member. These numbers need to increase now to avoid business and financial disruption on a company-wide level. Every facet of a business suffers when sensitive information is stolen or when data is leaked or breached.
This disconnect can be so deep between security teams and executives that they could be working against one another at a fundamental level. According to Gartner, CISOs often pointed to "security guidance" as the primary value proposition, whereas board members think "data protection" is the primary value of cybersecurity to the business. Of the board members they surveyed, 80% value "risk posture" as the most important metric for reporting. Less than 20% of CISOs thought the same.
The ramifications of keeping the status quo are steep. In a digital-facing world, this lack of communication and cultural divide becomes increasingly dangerous every day. CISOs need to start cultivating relationships with top business stakeholders and business leaders so problems can be addressed and met head-on.
If COVID-19 has taught us anything, it’s that security teams can work remotely and be just as effective. It has also made cyber risk more present and visible on a board level, as things like Zoom room hacks became prevalent during the pandemic. Once everything was remote, it was easier to see the cracks in security approaches.
Many boards have started to form committees that allow for cybersecurity discussions behind closed doors in an open and honest fashion. These committees are most often led by qualified candidates like former CISOs, vice presidents, or third-party consultants to ensure that cyber risk receives the attention and resources it deserves and to share some of the weight of responsibility with the CISO. It allows security professionals to report to the CEO without fear of repercussion or censure.
CISOs need to focus on these relationships to get basic executive-level buy-in on security initiatives to make these committees a reality eventually. Too often, these issues are put off until a regulatory requirement requires attention or restructuring or until the cultural divide between the departments has become too wide even to address the problems without hostility present on both sides. Then a third party is required to come in and assess and mitigate and hopefully get the two on the same page.
But businesses are hurting themselves in the long run by putting these conversations off and continuing to accept the status quo of siloed departments. What can CISOs do to cultivate these relationships between their teams, high-level executives, and board members?
Luckily, even if your company isn’t quite at the committee-forming, honest conversation stage of security decisions, interest in cybersecurity and technology risk management is still increasing at the board level, with 91% of organizational leaders responsible for cybersecurity and technology risk management having reported to the board at least once in 2018.
It’s been historically challenging to portray cyber risk in a business context, resulting in conflicting goals with management and higher-level executives. There is often an ask of, why we are allocating so many resources to a program that can’t quantify a return on security investment.
Because cyber risk tends to be “invisible,” especially when CISOs are taking a risk-first approach, it can be challenging to demonstrate the importance and success of the investment. Yet, when these budgets are slashed, cybersecurity professionals find themselves with even more areas to oversee but not enough bandwidth to manage it all.
By presenting a tangible narrative for organizations to connect to, it’s possible to show how the IT department touches many aspects of the operation and industry and how valuable they are to every step of the process. This allows the work and effort the IT department puts in to be more “visible” and allows higher-level executives to easily view the value of the investment into the departments that manage risk and digital transformation initiatives.
Knowing your audience is critical when crafting this narrative. Who are the individuals on the board, and what roles do they serve? Which stakeholders are most affected by a breach? What risks does the company face by addressing compliance instead of a risk-first approach?
These narratives and relationships become key when a security incident disrupts normal business operations or when CISOs propose a rip and replace of legacy IT GRC systems, which typically requires a considerable investment of resources and employees.
Security teams can assist in melding teams by understanding board priorities and market trends. Is there a significant shift if regulatory requirements are coming, putting cybersecurity professionals under strain to meet deadlines? Are board expectations unrealistic? Are any of the business units in danger of imminent attack?
By approaching this as a team, stakeholders can propose their own solutions, which will have more weight when there are multiple voices instead of just coming from the security team. It’s essential to keep framing cybersecurity risks in a business context to make the initiatives and changes relatable on a company-wide level. Even if conversations become a little technical, everyone can still work towards the same goals by sticking to business terms.
According to Gartner, through 2025, CIOs who successfully communicate their organizations’ business value will maintain 60% higher funding levels than their market peers. While communication between CISOs and other senior executives and board members has improved in the last year, many still have a critical gap in what is said vs. what the business side hears. It’s imperative that the CISO and C-suite interactions continue to increase, lest it cost security leaders a voice at the executive table in strategic planning.
If you want to learn more about how stakeholder relationships affect CISOs, chief financial officers, or chief human resource officers, check out our webinar. To learn more about how CyberSaint can assist in augmenting your security team, contact us.