Op-Ed: The case for CISOs at the boardroom table

The annual AFR Business Summit in March dedicated a full day to discussing cyber security for the first time. The reputational damage inflicted on Optus, Medibank and, most recently, Latitude Financial was certainly a wake-up call for boards and senior executives in corporate Australia about managing the new world of cyber risk. These incidents also made it clear that cyber preparedness is not just an IT security issue but also a board-level issue.

All signs point to a breakthrough in how cyber security is factored into business strategies. What should follow is chief information security officers (CISOs) truly taking a seat at the boardroom table, with Gartner predicting that we will see an increase to 40 per cent of CISOs represented at the board level, up from the current less than 10 per cent.

There is certainly an intent to improve these numbers, with cyber security making its way into the mainstream strategic business discussions as a critical issue that all the executives across the business need to be aware of and responsible for. We are also seeing the first subcommittees being set up to tackle these issues.

These executives understand that the price of non-action is high and the government has taken meaningful steps to prompt some action.

Yet has the scale and impact of the ongoing increase of new and evolving cyber threats truly propelled organisations forward to proactively take charge of their cyber resilience? The recent breach of financial services company Latitude may indicate otherwise.

Over two-thirds of Australian C-level executives believe they are making correct identity security-related decisions, and there is a perception that overall security can be achieved by making the right technology investments. But that is only part of the story. Strategically, maximising those investments to include implementation and integration with existing environments, breaking down silos, and improving training is equally important.

This is where CISOs are set to play an integral role. Not having a technology expert involved in those strategic discussions would be detrimental to business continuity. It is the CISO’s role to impart this knowledge to other leaders in the business, while adding to the agenda key data insights on the organisation’s cyber security risk, which will help inform better decision-making and understand where a business truly stands in its maturity.

While cyber security is a key consideration — and conversations are happening across Australian boardrooms this year — we still have some ground to cover. According to recent research conducted by CyberArk and Enterprise Strategy Group surveying 1,500 cyber security professionals on their company’s security maturity level, only 9 per cent of organisations are taking an agile, holistic, and mature approach to securing identities throughout their hybrid and multi-cloud environments.

VIEW ALL

There are two main actions that need to take place, and collaboration is the key ingredient.

Better education for better security

To effectively manage cyber security risks, start by improving education at the board level. Equipping key executives with a solid understanding of cyber security makes it easier to foster transparent and productive discussions that acknowledge the close link between business decisions and security risks.

However, the language used in the IT industry can often be technical and difficult to understand. To bridge the gap between technical jargon and business impact, it is essential to simplify the language and use practical examples to deliver the message. This approach will help stakeholders grasp how cyber security risks impact business continuity and, ultimately, the bottom line.

For instance, it is important to prioritise cyber hygiene as it can directly impact a business’s financial evaluation. Since data is a valuable asset that needs to be protected, the better it is safeguarded, the more value it holds for the organisation. When businesses prioritise cyber security, they can increase the value of their data, which, in turn, enhances their overall business value.

Providing practical examples of how cyber security affects and benefits a business makes it easier to have transparent conversations and dispel negative connotations surrounding the topic.

A true partnership of leaders

It will be critical for all key business executives to proactively ensure alignment between their business and security objectives while managing cyber security debt.

Forming a dedicated subcommittee and allocating the right resources to resolve any conflicts between what business and security executives want will be essential to ensuring alignment and maintaining awareness of the business’s cyber security strategy to prevent severe business disruption.

CISOs can play a strategic role in driving digital initiatives forward, but involving them from the start is essential. They can educate IT and business executives on security risks, establish zero-trust processes, such as securing user access to critical applications, and stay aligned with key stakeholders. By balancing investments between digital initiatives and security protections, CISOs can prevent cyber security debt accumulation that may impede progress.

We have already seen positive changes, and we can expect more widespread adoption as businesses recognise the close link between business and security decisions regarding their reputation, safety and value. It’s time for business leaders to take responsibility for protecting and taking their customers’ data seriously.

Thomas Fikentscher is the regional director of ANZ at CyberArk

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.