What the Boardroom Is Missing: CISOs

According to a new study (subscription required), only 12% of S&P 500 companies have board directors with relevant cyber credentials, showing a major gap in the expertise needed to keep organizations secure.

As most organizations shift to digital and cloud-first strategies, businesses of all shapes and sizes must protect their assets. Similar to the Sarbanes-Oxley (SOX) Act of 2002 — which requires corporations to adhere to certain practices in financial record keeping and reporting — the SEC implemented federal compliance for cybersecurity in July. Companies had to begin complying by Sept. 5. These regulations require businesses to provide annual cybersecurity risk management, strategy, governance disclosures, and disclosure of any cybersecurity incidents. Although security has been a board-level conversation for some time, CISOs will be the ultimate source for ensuring best security practices are being followed.

Closing Board Gaps

Unfortunately, there's a considerable gap between security leaders and the board directors responsible for managing businesses. A recent Harvard Business Review survey of 600 boardrooms revealed just 47% regularly interact with their company's CISO. That's a severe knowledge gap for a company's security and business leaders. It's high time we started looking at CISOs as critical assets for every company's board to fix this problem. After all, security failures can crush more than just a company's reputation; they can also tank stock prices.

Yet according to research from the CAP Group, among Fortune 100 companies, just 51% have directors with relevant cybersecurity experience. The situation is even more alarming in the Fortune 500, where only 9% of boards have directors with a strong understanding of cybersecurity. This problem extends to companies in the Russell 3000, where just 8% have directors with cybersecurity expertise.

Introducing CISOs to the boardroom is not just about compliance or avoiding enforcement from the SEC; it's also about ensuring transparency and accountability. CISOs are already building security programs from the ground up. They provide business compliance, hire the right people, and find the right technology to supplement their team's efforts. Security posture is critical to an enterprise's future success, and having a CISO on the board that speaks the language can help a board understand if their business is making suitable security investments.

Increased Stakes in a Cloud Era

Of course, the cloud unlocks huge advantages — notably, the ability to innovate faster — but also creates new security challenges. The cloud has an exploding risk surface area and a 1,000x rate of change, which means most of an organization's code is created upstream and is often open source, not to mention developers define containers, workloads, networks — everything — as code.

Given how rapidly the current threat landscape shifts, every organization would benefit from the CISO having a boardroom seat. Not only are revenue and profitability directly impacted by a company's digital business, but these corporations are trusted by millions of individuals to use their data appropriately and securely. When assets are at risk of attack, so is the company's ability to thrive. Introducing a CISO to the boardroom helps assuage fears of security threats, as the CISO can effectively communicate risks and keep them out of the shadows of how security impacts business.

But as CISOs enter the boardroom conversation, they also undergo the expectation from CEOs and board members to drive the probability of intrusions, data exfiltration, ransomware, and other attacks, to effectively zero. Many individuals outside of security don't understand that this task is essentially impossible, and it's up to the CISO to communicate that to the board while still assuring them their assets are well-protected by the organization's security practice and team.

Being More Than a Technical Expert

At the board level, CISOs ensure compliance with appropriate regulations and standards while driving business growth. These regulations shouldn't be seen as profitability roadblocks but opportunities for CISOs to communicate why security should be a priority and not an afterthought. The increased scrutiny of today's economic environment and the new rules set by the SEC open a door for security leaders to decrease complexity, raise awareness, and solidify engagement with security efforts across the company.

But aligning an entire organization on security is challenging since most employees don't have technical expertise. When proposing a security strategy to a room full of nontechnical folks, there's the possibility that the audience will leave with more questions than answers. That's why CISOs are prioritizing soft skills. The CISO's sole responsibility is addressing security threats and vulnerabilities and getting people to buy into processes and best practices. CISOs' roles are complex and nuanced and need to be treated as such. Their presence in the boardroom would bring greater task efficiency, focus, and accountability.

CISOs are indispensable when it comes to establishing a modern security posture. As the SEC tightens its reins on security and more business leaders understand the business implications of a secure cloud environment, we can expect to see more CISOs join the boardroom to spearhead a change we need to see for a greater focus on protecting the cloud and the data that lives within it. And while the responsibilities of the CISO are changing, one thing remains the same: Keeping people and sensitive data safe and secure is always the No.1 priority.

That's something every board of directors can benefit from.