Recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance instructs board members to drive “a culture of corporate cyber responsibility” by empowering CISOs with the influence and resources they need to drive decisions where cybersecurity is effectively prioritized and not subordinated to cost, performance, and speed to market.
Although this sounds like a CISO’s dream come true, it doesn’t mean that boards will suddenly open the purse strings. Responsible to their shareholders, boards and executives will always be hyper-focused on the bottom line. Only now, with liability bearing down on them, they require accurate, risk-based funding requests qualifying the need, total cost of ownership, effectiveness, breach exposure and likelihood, and cost to the business should a breach occur.
Traditionally, CISOs haven’t communicated this information well enough to their boards, Chris Hetner, special advisor for Cyber Risk at the NACD, tells CSO. Hetner, who is also council member on the NASDAQ Center for Board Excellence, points to the July-updated SEC rules for cyber risk management implicating senior leaders in breaches. Board liability for risk is sinking in, he says, and as a result, board directors are rallying around cyber threats.
This trend definitely impacts how CISOs articulate the need for funding their security programs, Hetner continues. “As an investor, I need to know how you’re treating this risk compared to any other risk and why it matters. Juxtapose that with a CISO bringing in highly technical metrics and reports not understood by the board and you see the disconnect. You want to prepare a tailored, business-focused cyber risk report, ideally on a quarterly basis, that converts technical metrics into understandable, business-aligned metrics. Then, you’ll get your funding.”
Don’t go it alone when asking for cybersecurity funding
When it comes to funding requests, CISOs shouldn’t operate in a vacuum. Hetner suggests seeking allies on the board and executive team, including the CFO, and CEO. These people can help CISOs understand the business risk to frame their funding requests around and are often the same people to sign-off on them. He also suggests reaching out to other influencers in purchasing and the business units that will benefit from the funding request.
Finding allies is a key strategy for Michael Bray, CISO of the Vancouver Clinic in the state of Washington. He has gone so far to educate the board and C-suite on their fiduciary responsibilities when it comes to cyber risk and funding. “Who owns the risk?” he asks. “The board does. They also dictate the risk appetite, provide strategic direction, oversight, and governance for security best practices and spending requirements, as per standard business operation.” This extends to understanding risk assessments and mitigation strategies to protect assets and stakeholders, as well as ongoing compliance efforts, and incident response, which he terms “breach management” when speaking to the board.