CISOs’ security departments and boards of directors seem to have incompatible mindsets. Defenders want to safeguard their company’s trade secrets, customer data, and networks, all of which cost money without directly contributing to the bottom line. Board members focus on the company’s overall strategy rather than its defensive posture, especially since CISOs were rarely invited to address, let alone join, the board unless an incident occurred.
But there is hope: The latest edition of Splunk’s annual CISO Report shows that cybersecurity executives and boards of directors are coming together like never before. “The CISO-board relationship is deepening as they have more opportunities to engage on matters of cybersecurity and enterprise risk,” the Cisco-owned data software company said. “Most CISOs (82%) now report directly to the CEO, a significant increase from 47% in 2023.”
Having a direct line to the CEO—and, in some cases, the board of directors—can help assure CISOs they’re more than just sacrificial totems whose primary job responsibility is taking the blame for security incidents. Instead, organizations are starting to recognize the value of a CISO who’s deeply inspired to prevent incidents from happening in the first place while effectively communicating the value of that reduction in core business risk. Now more than ever, CISOs can actively advocate for their organization’s needs to people in positions of greater power.
Splunk pointed out that this relationship still has room to improve. “CISOs are not exactly confident about the board’s cybersecurity prowess,” the report said. “While 60% acknowledge that board members with cybersecurity backgrounds more heavily influence security decisions, not all boards have an authority like that in the room. Only 29% of CISOs said their board includes at least one member with cybersecurity expertise.”
The report also indicated that CISOs and their boards of directors rarely see eye-to-eye. It showed significant differences in how security departments prioritize their duties—CISOs are more likely to believe they should collaborate with other departments and meet security milestones, for example. At the same time, their boards are more focused on achieving regulatory compliance and showing a return on investment for security-related expenditures.
“The net-net? For one, boards don’t want fire-fighting heroics from CISOs,” Splunk said. “They’re looking for mature, strategic, proactive leadership and business enablement, not just damage control when an incident inevitably occurs. CISOs who can educate the board on how their security KPIs can benefit the business will find more success.”
All of which is to say the relationship between CISOs and their boards of directors is similar to the one between security departments and the developers whose products they’re defending. Boards can see CISOs as financial burdens and devs often see cybersecurity departments as obstacles to meeting their own goals. It’s up to defenders to change those perceptions by clearly demonstrating the benefits of taking security more seriously.
Synack’s Penetration Testing as a Service platform is tailor-made to help CISOs navigate boardroom politics with concrete data and actionable insights. The executive reporting capability is vital for CISOs hoping to leverage their pentesting program to inform strategic decisions: Where might a limited security budget be best applied? Where could dev teams stand to brush up on their cybersecurity training?
To find out more about how Synack can help bring CISOs and board members even closer together in pursuit of risk reduction, schedule a demo.
