Boards will increase their spending on cybersecurity, but only if they see broader benefits for the business, according to CISOs.
Speaking at an expert panel at Infosecurity Europe 2022, they argued that organizations needed to see more than an absence of successful cyberattacks to justify spending on personnel and security tools. They need to know that spending supports business goals or, in the government and nonprofit sector, provides good value for money.
Additionally, CISOs need to change their language of technical discussions about vulnerabilities. Instead, the conversation should focus on business risk and issues that concern the board.
In the legal industry, corporate boards are focused on protecting their firm’s reputation and protecting client data, said Toks Oladuti, the law firm’s Global Deputy CISO. Denton. This reputation also contributes to the commercial success of the company. “We have KPIs around what we do to help the company win new contracts,” he says. “Organizations have invested heavily over the past decade in technical capabilities. What the board expects are results.
Samantha Hart, CISO of professional services firm Davies Group, pointed out that boards are trying to quantify risk, including in the cyber realm. If all a CISO can show is that the company wasn’t breached, “that’s not a very attractive story for my money and my workforce,” she conceded. This means being transparent about the cost of security failures.
Outside of the commercial sector, CISOs report similar experiences. Jon Townsend, CISO at the National Trust, said there was no point talking to boards about “vulnerabilities and CVEs”. “It doesn’t make sense to people who don’t work in our sphere,” he admitted. Instead, the case for resources should be tied to business outcomes.
“We are a charity and we are responsible to our supporters,” he said. This includes risk monitoring across a supply chain of some 28,000 companies, ranging from independent traders to multinationals.
Panel Chair Paul McKay asked the panel to share lessons learned.
Townsend advised CISOs to be “curious” and not take anything at face value, whether talking to suppliers or internal colleagues.
Hart said CISOs need to focus on risk quantification because that’s increasingly where advice is evolving.
Oladuti suggested CISOs need to take the time to understand the business and what’s important to the board and management. “It helps me gain a lot of traction,” he said.