CIOs must engage with the board about cyber-security opportunities and dangers so information strategy and risk are routinely seen as important board-level issues.
By Steve Durbin
The roles of the CIO, and Chief Information Security Officer (CISO), have changed considerably over the past decade. Chief amongst these changes are that the security-based demands from company stakeholders have increased substantially as a result of major technological and cyber advancements.
Cyberspace is constantly evolving; its potential and real threats, vulnerabilities, complexity, and interconnectivity are always changing. The threat is asymmetric as activists, cybercriminals and nation-states disproportionately increase traditional information risks. In many organizations, cyber-security opportunities and risks have become a board-level issue, so the CIO, like the CISO, must engage at the boardroom level, where information strategy and risk should sit comfortably with other types of strategy and risk that the board oversees.
Information Security Under Pressure
Highly publicized breaches, and more stringent regulations, have put the spotlight on information security in most organizations around the world.
In a recent report, "Estimating the Cost of Cybercrime and Cyber Espionage," conducted by the Center for Strategic and International Studies (CSIS) and sponsored by McAfee, it is estimated that cybercrime and cyber-spying are costing the U.S. economy $100 billion each year and the global economy perhaps $300 billion annually. Malicious cybercrimes are estimated to cost as many as 508,000 jobs in the U.S. alone. This has put unprecedented pressure on C-level executives to assure stakeholders that sensitive information is secure. And as information security moves up senior management and the board's agenda, pressure will continue to mount. Like CISOs, CIOs must be able to shape the message and relay their successes to the board to sustain high-level support for security initiatives. A recent CEO survey, conducted by PwC in its Annual Global CEO Survey 2013, cited cyber-security as having the third highest possible impact on organizations—even ahead of a natural disaster disrupting a major trading and manufacturing hub or military tensions affecting access to natural resources.
Yet, as found by Carnegie Mellon University in its CyLab survey, "Boards are not focusing on important activities that would help protect the organization from some of its highest risks: the reputational and financial losses flowing from the theft of confidential or proprietary information or security breaches involving the disclosure of personally identifiable information (PII)." While a security breach gets immediate attention from the board and company stakeholders, the infrastructure and systems needed to recover from, and prevent another hit, are still not boardroom fare.
Engaging With the Board
The good news is that with increasing stakeholder pressure comes an opportunity to engage more openly and readily with the business. Publicity surrounding breaches, loss of data and the quantifiable impact on brand value has created an environment the like of which security professionals have never seen before.
Now is the time for CIOs and security leaders to take advantage of what seems to be a relentless focus on cyber-security to engage and demonstrate the true business value that their departments can bring. The successful leaders are steadily engaging with the board, while some are struggling for a number of reasons, such as:
• No established relationship with the board
• The board still struggles to understand the importance of cyber-security
• The information security department has difficulty communicating its cyber-security message to the board.
To keep their organization secure, both CIOs and CISOs need to lead and drive engagement with the board—and start by changing the conversation. They need to translate the complex world of information security and information risk into easily understandable issues and solutions. Like CISOs, all C-level executives must change their way of thinking and the resulting conversation so information risk can be considered with other risks that boards oversee.