CISOs shouldn’t be shy about what they need from the board, as organizations with mutual board-CISO understanding are better positioned to tackle cybersecurity challenges successfully.
There has been an extremely strong focus of late on organizational boards’ concerns about cyber threats. This focus has come alongside amplified regulatory attention, much of which pushes for stronger board engagement on cybersecurity. As a result, board directors are increasingly asking questions of their CISOs.
In November 2023, the New York Department of Financial Services (NYDFS) finalized its modifications to 23 NYCRR Part 500. While this legislation was groundbreaking for being very prescriptive in what cyber controls are required, there was in earlier drafts indications that each board should have suitably cyber-qualified members.
As a result, questions about cybersecurity practices are cascading into risk committees in every enterprise, with CISOs at the center.
But the CISO is already in the ‘hot’ seat, navigating a very challenging role that requires both deep expertise and experience. To ensure CISOs are equipped to meet this challenge, boards must look beyond what they need from their CISOs to address what CISOs need from them as well.
What the board wants from the CISO
The board has very specific expectations from their chief information security officer that center on effective risk management and communication. Most of all they want transparency and truth. This requires translation skills, as the CISO must translate complex cybersecurity risks into clear business terms and potential impacts that board members can understand and act on.
While clear and concise risk communication is essential, boards also expect regular updates on the organization’s security posture, critical threats, and vulnerabilities that could affect business objectives, all explained without technical jargon.
Let’s remember that board members have a personal liability at stake and they want to see strategic leadershipthrough along-term security strategy that aligns with business goals, supported by clear metrics and cost-effective resource allocation. It is paramount for CISOs to remember this motivation when talking to the board.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
CISOs are trained to fix problems. Lawyers are trained to find them. The two must work together to address complex challenges like breaches, compliance, or the ethics of emerging technologies.
There’s a joke that’s been floating around boardrooms for years: “What’s the difference between lawyers and engineers? Lawyers don’t think they’re engineers.”
This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into technologies nobody trained them to handle. Lawyers, on the other hand, aim to find problems, navigate gray areas, and anticipate risks.
While these differences might seem like a recipe for conflict between the two professions, they can often lead to a strong partnership. By combining their skills, these two groups can navigate the ever-evolving intersection of technology, innovation, and regulation.
Cybersecurity and data breaches are not just technical issues,” says Michael Welch, former CISO and managing director at MorganFranklin Consulting. “They can be intertwined with legal, regulatory, and reputational risks that require a collaborative, proactive approach.
While the relationship between CISOs and their legal teams is essential, things don’t always go smoothly. Differing priorities and communication gaps can create tensions or even lead to conflict. However, strengthening this partnership is not just beneficial — it’s critical for the organization’s ability to manage risks and respond to complex cybersecurity and compliance challenges. And CISOs can do a few things to make this partnership work.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3811937/cisos-stop-trying-to-do-the-lawyers-job.html
