Boards want more forward-looking insights: The report also suggests that board-CISO communication doesn’t dive as deeply into details as it should in these days of ever more sophisticated, AI-driven cyberattacks.The majority of board directors (82%) say their security leaders’ reporting on regulatory trends was satisfactory or excellent, and that they had strong visibility into program initiatives, current risks, and resourcing needs. However, about half said security leaders’ reporting in other areas, notably threats from AI and other emerging tools, needed improvement.This seems to signal that boards are seeking to move beyond high-level conversations to more forward-looking insights. AI is now a primary driver of cyber risk, enabling more sophisticated attacks; at the same time, it is introducing new areas of loss as AI models become high”‘value assets that can be exploited or damaged, said Brian Walker, CEO of The CAP Group.”AI and cybersecurity are inextricably linked, and boards must understand the business risks of both,” he said.Similarly, boards regularly interact with dashboards and frameworks, but fewer than half of them (41%) participate in tabletop exercises, crisis simulation, incident escalation protocols, or other education and training.”In other words,” the report notes, “boards are well informed on paper, but often stop short of experiencing cyber risk, suggesting oversight that is more passive than active.” This suggests that CISOs are not helping boards get ahead of the “fast-moving risk dynamics” of today’s threatscape.Ultimately, the report emphasizes, this reinforces a familiar pattern: Updates effectively explain the current state, but are less effective at preparing directors for what comes next.
Board involvement is critical for cybersecurity: Getting board buy-in is critical, as data and digital capabilities are integral components of business strategy. Risks created by emerging technologies and methods of using data are, as a result, “becoming more impactful on an organization’s health,” said Kakolowski.In the strongest security-first organizations, CISOs are “deeply aware” of the risks that are most important to the business, and are able to contextualize cyber issues into those risks, he said. “They aren’t getting the board up to speed on cyber issues; they are shaping the cyber agenda around the risks that matter to the board and, implicitly, the broader organization.”The takeaway for CISOs: Use your security knowledge to determine the organization’s risk tolerance and manage risk accordingly. Simply put, building a strong relationship with the board requires a mindset shift “away from being a security leader trying to prevent breaches, to being a business leader partnering with the executive team,” said Kakolowski.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4141873/only-30-minutes-per-quarter-on-cyber-risk-why-ciso-board-conversations-are-falling-short.html
