There is a temptation to think of cyber-criminals as complex and sophisticated hackers, skillfully breaking through our defenses. As AI reaches widespread adoption, there are fears that we could see an even wider variety of sophisticated threats. But for businesses, phishing and poor cyber hygiene represent a more common and significant threat. Therefore, good cybersecurity for the enterprise is routed in a more mundane focus on preparation and communication.
As we enter October’s Cybersecurity Awareness Month, there are signs that CISOs and boards are making a concerted effort to cut down on corporate jargon to improve communications and insights around cyber. In this article, we will look at why CISOs need more visibility at the board level, how to improve cyber communication and how this can be translated to the wider organization.
Increasing Threats
As leaders such as Ciaran Martin, former CEO of the National Cyber Security Centre (NCSC) have recently argued, focusing on hardware and software flaws is likely to form the heart of good cybersecurity in the future. Phishing is the most common threat vector to most organizations. Wipro’s recent State of Cybersecurity Report found that 81% of respondents reported email phishing as the top threat to their business, followed by 79% for ransomware.
In the AI age, there is every chance that these kinds of threats will become more sophisticated. But ultimately, phishing is driven by social and organizational challenges rather than highly technical ones. For this reason, ensuring that cybersecurity is the responsibility of everyone in the organization is vital.
Cybersecurity at the Board Level
But how do leaders ensure they create this culture? The key solution is ensuring that boards are well-informed and bought into the cybersecurity functions of the organization, setting the culture and creating urgency from the very top. Approximately 68% of organizations report cyber risk to the board at least once every quarter. However, in the AI age, where posts on dark web forums about how to exploit ChatGPT rose by 625% in February 2023, these efforts are nowhere near enough.
As a first step, CISOs need more visibility at the board level, regularly reporting directly into the CIO. Currently, nearly 54% of global CISOs directly report to the CIO, while only 25% of global CISOs communicate with the CEOs. Fostering these direct lines of communication ensures that challenges are flagged earlier, and the board better understands the return on the investment into cybersecurity they are making.
Cutting Down on Jargon
However, this increased facetime has limited value if CISOs do not communicate effectively. The days of obscuring cyber behind technical language are long gone, and CISOs must continue their efforts to cut down on corporate jargon.
Opening up the conversation to ensure that the entire board understands cybersecurity issues is essential, because it lays the groundwork for more honest and open conversations about best practices. From here, boards can lead in ensuring that cybersecurity is instilled as a culture throughout the organization.
Becoming a Learning Organization
Ultimately, all organizations need to become agile ‘learning organizations’ wherein the conversations of balancing business growth, security and impact reduction, and practical actions for changing and improving business operations are had at the leadership and every level of the business.
In particular, training at every level can have a huge impact on creating a culture of shared responsibility around cyber. Figures indicate that 85% of the boards have established some form of cybersecurity oversight, but only 32% of organizations have a designated board member to provide cybersecurity oversight. Worse, only 27% of cyber simulation exercises involve the board.
Getting greater engagement from the board is vital to becoming a learning organization, as they must set the culture from the very top. This enthusiasm can also be just the support cyber professionals need to deliver a more effective training program. For example, phishing attacks often impersonate board members of the target company to trick unsuspecting employees.
More immersive training can be delivered with greater board buy-in, such as using a suspicious link sent to an employee to deliver a phishing awareness course. On top of this, organizations can host employee training where workers can create their own phishing emails and initiate friendly peer competitions, workshops and quizzes. Employees, therefore, get a broad perspective on how phishing operates and see how seriously leaders are taking cybersecurity.
When implemented effectively, incorporating cybersecurity into a business-aligned management structure offers organizations invaluable benefits, such as enhanced board accountability, promoting risk-mitigating behavior across the business and underscoring the importance of adequate cybersecurity budget and training, among others.
Conclusion
Gone are the days when cybersecurity was perceived as ‘for IT teams only’, and CISOs need board-level visibility to promote cyber hygiene and improve digital resilience. Cutting down on technical jargon can effectively break the ice between cyber experts and board members, facilitating open communication. Only through an open dialogue can businesses become learning organizations where all employees are sufficiently cyber-trained. With AI further strengthening ever-growing cyber risks, the time to kickstart that process is now!