Managing Risk and Driving Growth: Why CISOs Need to be Closer to Their CEOs

During her inaugural speech as the new CEO of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron argued that cybersecurity is still not as embedded as it should be into boardroom thinking. 

“The pace of change is no excuse — in boardrooms, digital literacy is as non-negotiable as financial or legal literacy,” she claimed. “Our CEOs should be as close to their CISO — their Chief Information Security Officer — as their Finance Director or their General Counsel.”

Cameron was talking specifically about UK boardrooms. But research has shown that she could be just as easily referring to executives in European and North American organizations. She’s right, of course — if managing risk is an essential part of running a successful business, then mitigating cyber risk should be absolutely critical to these efforts. After all, no organization can function without its IT systems. 

A direct CISO-to-CEO reporting structure could go a long way to helping address these challenges.

Losing the CyberSecurity Battle

Digital threats are an ever-looming risk for the cybersecurity industry. Despite the sector growing at a healthy 10% CAGR and expected to be worth over $326 billion by 2027, malicious activity has never been more widespread. Serious breaches continue at an alarming frequency. Hostile nation states are more emboldened than ever. And estimated annual damages from cybercrime are now measured in the trillions of dollars.

The number of breached and exposed records soared 141% year-on-year in 2020 to top 37 billion, according to one report. Yet while data breaches are still a serious reputational and financial risk for organizations, they’ve arguably been surpassed now by ransomware. This comes in two flavors — the kind of automated, low-level threats likely to catch out mid-sized companies and under-resourced organizations, and the highly targeted, multi-stage threats that can catch out some of the world’s most profitable businesses.

The latter have become increasingly prevalent during the pandemic, as remote workers, unpatched endpoints and other security gaps were ruthlessly exploited. One security vendor claimed the volume of attacks surged by 150% in 2020, with the average extortion amount doubling. For those refusing to pay, there is more pain to come in operational and other losses as business flows to rivals and IT teams struggle to bring systems online. The average ransomware victim is said to have suffered 18 days of outages last year.

Cyber Attacks Get Physical

By halting production lines, grounding flights and closing hospitals, ransomware should be bringing home to boardrooms the potentially crippling real-world impact of escalating cyber-risk. But there’s more. 

As more Internet of Things (IoT) devices are installed in factories, healthcare facilities, retail stores and other businesses, they offer another huge opportunity for threat actors to exploit. Many of these devices are riddled with bugs, are too small to install AV on, and can’t easily be patched. It’s a recipe for disaster which could see operational technology systems hijacked, sabotaged and remotely controlled for profit — or in the case of nation states and cyber-terrorists, to create chaos and destruction.

How Does This Impact Organizations?

At a high-level, successful cyber-attacks can have a major impact on the bottom line and corporate reputation. This includes: 

  • Costly IT overtime required to investigate and respond to breaches
  • Staff productivity losses due to outages
  • Lost business as systems sit idle due to ransomware 
  • Customer churn due to bad publicity from breaches
  • A falling share price as brand reputation sinks
  • Legal costs resulting from breaches and possible class action suits
  • Regulatory fines

Under-investment in cybersecurity can also have a chilling effect on digital transformation. Why? Because as soon as that major breach hits home, resources will have to be redirected to retroactively build protections into new services and systems. This can easily put projects on hold for months or even years.

Why IT Leadership Matters

As McKinsey explains, cyber risk is at its heart “a form of business risk.” So why don’t more business leaders pay close attention to their CISOs and other IT leaders? Analyst research last year revealed that 69% of execs in North American and European organizations believe security is “entirely or mostly a technology area with little or no linkage to the business.” Boards are generally uninformed and unengaged with security, it found. 

“When board members are more educated, they ask tougher questions, dig into issues, and make the leap from cybersecurity to business issues.”

- Enterprise Strategy Group, 2020

Why does this matter? According to the report: “when board members are more educated, they ask tougher questions, dig into issues, and make the leap from cybersecurity to business issues.” Conversely, the result of their lack of interest is that business executives are only willing to invest in the bare minimum people, processes, and technologies for compliance and basic protection. 

The number of breached organizations hitting the news is testament to this continued settling for “good enough” security. Not all incidents could have been prevented by more engaged boards, but the impact could certainly have been minimized in many cases.

Towards Closer Alignment

It is CISOs and (for smaller companies without that role) IT admin leaders, who offer a crucial bridge between the security function and the business — making the case for more investment in the right areas and providing important strategic advice at an early stage to guide transformation projects. As the NCSC’s Cameron argued, their role should be seen as critical to business success as that of CFO or General Counsel/CLO. But too often they don’t even get a seat on the board, reporting into the CIO instead.

Three recommendations from the Enterprise Strategy Group (ESG) could go a long way to bridge the gap:

  1. Ensure CISOs report directly to their CEOs to provide more security input to the business leadership and vice-versa. If a company doesn’t have a CISO, there should still be someone in charge of cybersecurity strategy — and they should report directly to company leadership. 
  2. Hire Business Information Security Officers (BISOs) to drive security into business processes and people at a divisional level.
  3. Formalize and document cybersecurity with KPIs and established metrics, to help CISOs and IT admins to better communicate with their business colleagues using a shared language.

Closer business-cybersecurity alignment won’t happen overnight. In many cases it requires cultural change, which can be excruciatingly slow. But organizations that fail to take action now may find themselves falling behind as global digitization kicks up another notch post-pandemic.

Check Out Our Interactive Product Tour!