Of all the challenges boards have been facing, managing cyber security continues to top the list. In the last month alone, much has been written about whether and what types of CISOs should join BoDs – technical focused, business driven, or (rather impossibly) both? Article after article discusses the skills and traits CISOs must have and how best they can communicate with the board.
These topics are trending because (a) over 90% of all Russell 3000 boards lack directors with sufficient cybersecurity expertise, (b) out of the “456 new independent directors who joined S&P 500 boards in 2021” a mere 18 (3.9%) had “experience leading a function such as cybersecurity, IT, software engineering or data and analytics,” according to a Forbes article quoting the research published in July 2022 by SpencerStuart, and (c) many other concerning statistics.
Regardless of which side of the argument you are on – whether CISOs should join the BoD or not – CISOs must not only be able to answer security-related questions but also proactively lead the discussion.
Why? In many organizations, boards struggle with asking the right questions to the incumbent CISO. They want to empower the right road map to manage cybersecurity the way they manage the work of other departments, but they don’t know how. CISOs are the ones to bridge this gap.
It all begins with access to data-driven insights.
As the evolving threat landscape presents a tougher-than-ever leadership challenge for CISOs and their security teams, many CISOs are facing an extra test – the impossible ability to instantly make sense of the giant data jungle their security stack continuously generates. To be a contributing member of the board, they would need to demonstrate what is happening in their security organization clearly, pinpoint trends, identify where/how the security organization is performing well, which areas need improvement, and how it all supports business performance.
One can hardly imagine a more difficult situation for CISOs as meeting after meeting they stand in front of their board with partial answers or dead-ends.
- Too Interpretive - In some instances, CISOs may intuit some of the answers but without the real-time data to back them up, they risk credibility.
- Too Late - The fact that CISOs have to rely on long processes to get the answers they need is a complication that threatens the viability of a timely interaction with the board – it might be too late by the time the board decides to approve a specific cyber action.
- Too Vague - Many times, CISOs build their answers on different stories that come from different data sets. They find themselves in a situation where they have to present this complex picture to non-technical board members in a language they cannot understand.
The lack of timely, clear, and data-based answers creates a gap in planning. To close this gap, CISOs need a unified dashboard of data and insights where they can set KPIs and goals, similar to those used in other departments such as finance, marketing and human resources.
The journey to data-driven insights starts with a data lake.
As the security data lake makes a grand entrance into CISOs everyday lives (just recently AWS made theirs publicly available), there’s great hype about how it can help security teams better define priorities. But a security data lake is only the first step towards effective cyber security performance management. It’s not the final answer. Nor does it instantly provide insights along the way.
CISOs must be empowered with an automated real-time cyber security performance management (CPM) platform – so they can quickly identify which team is responsible for the most phishing clicks, which product was bought but never deployed, which critical endpoints have not been patched, among many other issues. They can compare their current status to their own KPIs as well as industry benchmarks.
Backed by real-time data and statistics, they can help their boards be more aware of the organizational security performance. They can report on trends and progress in a way that board members can easily understand and help align security goals with the larger business goals.
SeeMetrics is a Gartner-recognized cyber security performance management platform that covers the entire security data journey – from creating a security data lake to providing measurements, insights, and recommendations. SeeMetrics helps frame the conversations between CISOs and their teams, as well as CISOs and their board.