New research conducted by the UK’s National Cyber Security Centre (NCSC) has found that 80% of board members and security leaders are unsure of where accountability for cyber resides.
The government cyber agency said that its research found that in many organizations CISOs thought the board was accountable, whilst the board believe it to be the CISO or equivalent role.
The research included interviews with board members, CISOs and other cybersecurity leaders in medium to large organizations and was conducted by research specialists, Social Machines.
Most board members do not have in-depth cyber knowledge, and the research found that because of this board members felt they were unable to offer the necessary oversight.
Meanwhile, CISOs stated that they did not feel the need to involve the board because members may struggle to understand technical explanations.
“As the authority for cyber security in your organization, it’s up to CISOs to elevate their conversations with board members (and other senior decision makers) so that they connect ‘cyber’ with the overall business challenges and context,” Sarah Lyons, Deputy Director, Economy and Society Resilience Topics at the NCSC wrote in a blog post published on October 7.
It is critical that those with cybersecurity knowledge understand how to communicate effectively with the board or senior executive teams and the NCSC has published new guidance relating to this.
“As cyber professionals, it the CISO’s job to bridge this gap to provide better cyber security outcomes,” Lyons’ blog noted.
News Guidance Encourages CISOs Comms with Board Members
The NCSC published advice on how to engage with boards to improve the management of security risk.
The new guidance is aimed at security leaders, including CISOs, and looks to help them communicate effectively with boards and engage their members.
“As a cyber professional, it is part of your job to bridge this gap to provide better cyber security outcomes,” the guidance noted.
“Cybersecurity is a strategic issue, which means you must engage with boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated.”
The guidance included advice on the following topics:
- Insight into the role of the board and who is part of it
- How to quantify and make cyber risks tangible using precise language
- Engaging with the board outside of meetings and look for opportunities to inform, update and advise
- Understanding what is most important from the board’s perspective and what critical questions they may want the answer to
- Engaging strategically with the board on connecting cyber with overall business challenges and context
- Communicating clearly by using a language that resonates with their business mindset
The NCSC said that by following its guidance, CISOs are more likely to receive the investment and resources they need which ultimately will reduce cyber risk across the organization.
Earlier in 2024, NCSC published a Cyber Governance Training Pack for Boards to help decision makers in their understanding of cybersecurity governance.