The CISO-Board Relationship : 6 Keys To Its Success
The relationship between the Chief Information Security Officer (CISO) and the Board is a topic that has received increased visibility in the past few years.
There are 6 keys to these being constructive and successful relationships ….
CISO Mandate – The positioning of the CISO greatly impacts the their ability to achieve the visibility and influence required to effectively manage cyber security. Who the CISO should report in to is a hot topic and one dependant on organisational corporate governance and maturity. It is key for the CISO to have the ear and the attention of at least one member of senior leadership to have conversations around cyber risks to ensure its integration into wider enterprise risk management and cooperate governance activity.
Resourcing of the CISO - Boards should pay special attention to who controls the CISO’s budget, and the extent to which security compliance and projects might have to be cut due to budget or, in light of the current skills gap, staffing constraints.
Engagement of C-Level with the CISO - Boards should review the frequency and quality of interactions between the CISO and other C-level executives. To ensure that top management is appropriately engaged in cyber security, at a minimum there needs to be and established security governance model. Regular reporting through that governance model from the CISO to the C-Suite enables visibility of the added value the CISO brings.
Know the Security Team Before An Incident – Boards are urged not to wait until a security incident has occurred to start familiarising themselves with the security team. A clear response plan and with leadership input and the roles and responsibilities will help facilitate early conversations and relationship building.
Review the CISO’s Network of Influence – Quality interactions with the rest of the C-suite is important for integration and embedding of cyber security across the business. When it comes to internal visibility and influence, CISO’s can’t afford to be or seen to be siloed in an IT-centric role.
Review the Cyber Security State of the Company – Boards must have frequent discussions and continuously review the state of cyber security within the business. Together with the CISO, boards should discuss lessons learned from recent incidents to fill any gaps and ensure that appropriate lessons are drawn and incorporated into incident response plans. Boards need ensure that the organisation is making adequate progress in securing its most valuable information assets.