What CISOs need from the board: Mutual respect on expectations

There has been an extremely strong focus of late on organizational boards’ concerns about cyber threats. This focus has come alongside amplified regulatory attention, much of which pushes for stronger board engagement on cybersecurity. As a result, board directors are increasingly asking questions of their CISOs.

In November 2023, the New York Department of Financial Services (NYDFS) finalized its modifications to 23 NYCRR Part 500. While this legislation was groundbreaking for being very prescriptive in what cyber controls are required, there was in earlier drafts indications that each board should have suitably cyber-qualified members.

Similar guidelines were established with the Australian Institute of Company Directors (AICD) drafting its Cyber Governance Principles, which were recently refreshed. The timing of this refresh was no coincidence, as the new Australian Cyber Security Bill recently passed Parliament.

As a result, questions about cybersecurity practices are cascading into risk committees in every enterprise, with CISOs at the center.

But the CISO is already in the ‘hot’ seat, navigating a very challenging role that requires both deep expertise and experience. To ensure CISOs are equipped to meet this challenge, boards must look beyond what they need from their CISOs to address what CISOs need from them as well.

What the board wants from the CISO

The board has very specific expectations from their chief information security officer that center on effective risk management and communication. Most of all they want transparency and truth. This requires translation skills, as the CISO must translate complex cybersecurity risks into clear business terms and potential impacts that board members can understand and act on.

While clear and concise risk communication is essential, boards also expect regular updates on the organization’s security posture, critical threats, and vulnerabilities that could affect business objectives, all explained without technical jargon.

Let’s remember that board members have a personal liability at stake and they want to see strategic leadershipthrough along-term security strategy that aligns with business goals, supported by clear metrics and cost-effective resource allocation. It is paramount for CISOs to remember this motivation when talking to the board.

Compliance and governance also remain key concerns for boards. They need assurance of regulatory compliance, evidence that security controls are working, and updates on audit findings and remediation efforts. It is not uncommon for regulators to address their findings directly to the board, and for the regulator to review minutes of board meetings.

The board also expects strong incident preparedness, wanting confidence that the organization can detect and respond to threats effectively, with well-tested response plans and clear communication protocols for security events. This includes the board themselves having a clear understanding of their role in these scenarios. I’ve personally seen boards ask to walk through a page turn of a cybersecurity playbook.

Business enablement is another critical expectation. The board wants security solutions that enable rather than hinder growth, seeking a balance between security controls and operational efficiency while supporting digital transformation initiatives.

Above all, boards want CISOs to answer a fundamental question: Are we secure enough for our risk appetite, and if not, what actions do we need to take? It is an easy question to ask but not that trivial to answer — let alone to provide this in layman’s terms.

What CISOs want from the board

But now allow me to flip this issue and take the perspective of the CISO in addressing the key question: How can boards be more supportive of their CISOs?

The CISO requires specific and sustained support from the board to effectively protect the organization from cyber threats. A strong partnership between the CISO and board is essential for establishing and maintaining robust cybersecurity practices. My favourite saying one that CISO Robert Veres relayed to me: The board should support the “Red” and challenge the “Green.” This support is exactly what the CISO requires as a foundation.

The board must help set the overall strategic direction that aligns with the organization’s risk appetite. This high-level guidance provides the framework within which the CISO can develop and implement security programs. While the CISO establishes the cyber risk culture, they need the board to reinforce this by setting the appropriate tone from the top and ensuring cybersecurity compliance is prioritized across all levels of management and business units. This is a difficult task for some boards as they may lack a good understanding of business and integration of the technology strategy.

A critical requirement is for the CISO to have a strong mandate to operate with clear accountability. They need the authority to act and defend the enterprise without excessive interference, allowing them to respond quickly and effectively to emerging threats.

The board must also understand the concept of cyber risk buydown — recognizing that not all risks carry equal weight and supporting the CISO’s focus on addressing the most critical threats first. 

The CISO also needs the board to provide adequate resources and budget to support the implementation of the cyber strategy. Without proper financial backing and resource allocation, even the best security strategies will fall short of their objectives.

Note that the CISO will always have the accountability but may not have the approved budget and resources required to match this ambition.

These support requirements are not quick fixes but require ongoing attention and commitment over the medium term. Many enterprises currently have significant work ahead to improve their risk posture, and the board likely recognizes the status quo is not acceptable.

Building a solid two-way understanding of cybersecurity between the board and CISO is crucial for addressing these challenges effectively. Organizations that develop this mutual understanding are better positioned to tackle cybersecurity challenges successfully.

See also:

• How to ask the board and C-suite for security funding
• Dear CEO: It’s time to rethink security leadership and empower your CISO
• How much cybersecurity expertise does a board need?
• 4 signs the CISO-board relationship is broken (and 3 ways to fix it)
• 13 traits of a security-conscious board of directors
• 7 mistakes CISOs make when presenting to the board