CISOs struggle to articulate business impacts of cyber risks

Image by pressphoto via Freepik

A new survey from FTI Consulting reveals the heightened pressure felt by chief information security officers (CISOs) as company boards and leadership seek to improve oversight of cyber risks in the face of growing regulatory, investor and media scrutiny.

With CISOs required to regularly present to their boards, they now face the challenge of articulating cybersecurity risks and opportunities to an engaged audience, according to CISO: Communications Redefined, Navigating the Journey from Control Room to Boardroom report by FTI Consulting’s Cybersecurity & Data Privacy Communications practice. The survey was conducted between June and July 2022, representing 165 CISOs and those in charge of information and cybersecurity, representing U.S. companies with $4.4 trillion in aggregated revenues and employing over 528,000 people.

Among CISOs surveyed, 85% said that the prominence of cybersecurity on the Board’s agenda has increased over the last 12 months, with 79% feeling heightened scrutiny from senior leadership. The lack of executive leadership understanding CISOs’ roles (55%) prevents CISOs from articulating critical priorities, with 53% saying their cybersecurity priorities are not completely aligned with their organizations’ C-suite leadership.

Despite this increased prominence, most CISOs (58%) surveyed revealed their struggle to articulate technical information and effectively communicate cyber risk in a manner that the Board and senior leadership can understand. Ultimately, a disconnect between the CISO and Board and leadership priorities may negatively impact an organization’s ability to effectively prepare and respond to a cyber incident.

Other key survey findings include:

With mounting pressure, 82% of CISOs claim that they feel the need to positively exaggerate their role to their Board.
Even as cybersecurity awareness grows, 58% of CISOs struggle to communicate technical language to their boards, and 63% feel that their concerns are not aligned with senior leadership priorities, potentially leaving companies exposed to a possible incident or regulatory sanction.
While 88% of CISOs surveyed have experienced a cyber incident in the last 12 months, 46% of the respondents claim these incidents were not mitigated quickly and continue to struggle to rebuild trust and confidence among leadership following the incident.
52% of CISOs claim that managing communications with internal and external stakeholders is the biggest challenge when responding to an incident, and 63% believe that their cyber concerns are not fully aligned with senior leadership’s priorities and could leave companies exposed to a possible incident or regulatory sanction.

While 66% of CISOs feel that their senior leadership struggles to understand the CISO’s role, over half state that they struggle to communicate technical language in a way their board members can comprehend. In response to those results, FTI Consulting asked if respondents would benefit from communications training, and 91% said communications coaching would positively impact their role.

This research explores the communications challenges facing CISOs and those in charge of information security. It illuminates the struggles of CISOs and information security leaders to more clearly communicate — internally and externally — their role, leadership and management of cybersecurity.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says, “CISOs must invest time listening to their executive Board and business peers to learn how they measure their organization’s success. Our role within cybersecurity is not to simply put technology in place for the sake of security but to put technology in place that contributes to business success — while ensuring cyber risks are either reduced or eliminated.”

According to Carson, the CISO must become the bridge between the Board and the IT security team to ensure that a business-first approach is made with each and every security decision. “How does implementing a security strategy help your business, the executive team, your business peers and your employees be successful in their tasks and goals? In the past, security was typically enforced on the business, typically creating a negative experience and slowing down employees trying to achieve their goals,” Carson adds. “The CISO needs to make security a fundamental core to the business, and employees must never be afraid to speak out when they see something suspicious. Promote a culture where employees are never afraid to ask for advice or report suspicious activity, even if it was the result of something they clicked on. The earlier an employee reports something, the lower the potential impact and cost to the business it will have.”

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.