I have been covering cybersecurity issues, first as a journalist then as an analyst, since 2006. In that 15 years I have heard the mantra that security is a boardroom issue hundreds of times. The subject has filled countless conference talks and media articles.
It appears that the message is still not getting through if a speech by the new CEO of the UK National Cyber Security Centre (NCSC) anything is to go by. In her first public speaking engagement in March this year, Lindy Cameron, said, you guessed it folks, security must be given more attention in the boardroom.
“Cybersecurity is still not taken as seriously as it should be, and simply is not embedded in UK boardrooms. The pace of change is no excuse — in boardrooms, digital literacy is as non-negotiable as financial or legal literacy,” she said.
“Our CEOs should be as close to their CISO as their finance director and general counsel, and we want to help them to develop this knowledge, as we’re all too aware that cyber-skills are not yet fundamental to our education — even though these are life skills like wiring a plug or changing a tyre as well as skills for the future digital economy.”
Fine words and reported diligently by a few security media outlets in between the latest sensational cyber-attacks. But why has it not changed – and more importantly, does it even matter?
Have a cigar?
I take issue that cybersecurity is “not taken seriously” by CEOs etc. I believe they are more than aware of the risk of cyber-attacks. But there is a crucial difference between taking an issue seriously and making it a regular “embedded” boardroom issue - one discussed and approved by directors at all time. This is what many aspire to and to get there, security people are told they must speak the “language of business” for budget approval and to get things done.
I am not sure those who want a seat at the table will ever find one. Perhaps security is not a regular boardroom issue because the board simply expects the CISO and everyone in the hierarchy beneath them to get on with the job. It also betrays a lack of awareness by the “cyber is a boardroom issue” lobby as to what board meetings consist of.
Mind your language
Very often this debate is framed around language – the Board does not care because CISOs only talk in technical terms they do not understand. If security people can frame security needs and projects with “normal” business language, then more budget may be forthcoming or new policies could be approved. I’m not so sure this makes a difference.
Other than reducing people-based incidents such as phishing through awareness training (not usually successful in the long term), reducing cyber risk is almost 100% based on the successful management of policies, IT and software. Therefore, it is not unreasonable for a CEO and the board to consider it primarily an IT issue.
There are articles, books even, which explain how to get boardroom buy-in – yet the amount of activity and social interaction that these entails would preclude the CISO from doing much else. Other organizations are simply too small to have an expensive and dedicated CISO function – so they rely on managed security services. The board then simply expects that company to do what it says on the tin.
Unlike finance, HR, marketing, R&D and other LOBs, IT security is a function of risk and event management and not one of creative development - it is a negative asset- one that organizations would gladly pay less for if they could. Security does not lead to innovation, create new markets, design new products and services or consider the impact of M&A, ROI, or P&L. It is however a cost entry in the auditor’s report.
Focus on technology not theory
For her first speech, Linda Cameron would have done to better to focus on how advanced technology, automation and better deigned security tools are doing more keep organizations safe than trotting out a tired line about security’s battle to be taken seriously by the board.
Outside of this diversion the best CISOs, CIOs and IT managers are putting in place security technologies that focus on the end user by working with vendors and analysts to find the right solution. They are making employees lives easier by deploying solutions that provide privileged access, single sign on, secure remote access etc without security controls getting in the way. This is surely making security a business issue -without needing boardroom approval.
Given the workload of most CISOs right now, not having to worry about speaking to the board would probably come as a relief. Of course, the one time a CISO may be summoned to the board is when there is a serious breach, but no-one ever said life was fair.