Skip to content
News update

5 steps boards can take to empower CISOs and strengthen their relationship

Global regulatory changes have heightened the importance of the CISO role, making strong communication with the Board essential—so what exactly does an effective Board/CISO relationship need?

In today’s volatile cybersecurity landscape, the role of Chief Information Security Officer (CISO) has become increasingly critical and intensely scrutinised.  

Australia’s Privacy Legislation Amendment in 2022 and new and emerging regulations across the globe, such as NIS2 and DORA in Europe and the SEC’s recently enacted cyber breach disclosure rules in the U.S – a regulatory response to events like 2020’s massive SolarWinds hack and former Chief Security Officer Joe Sullivan’s personal liability for covering up a cyber breach at Uber – have elevated the pressure on CISOs and other security professionals.   

These mounting pressures have highlighted the need for CISOs to interact more closely with their board directors. Likewise, many directors want a stronger relationship with their CISOs. Strengthening the director and CISO relationship pays off: Recent research from Diligent Institute and Bitsight demonstrates that a lack of connection between a board and its CISO can in turn, diminish overall company performance.  

Many CISOs feel they lack a true seat at the table and a clear ability to communicate risk and strategy effectively with board members. And directors similarly feel this lack of connection.  

So, what can be done about the disconnect?  

We’ve put together the top five ways boards can empower their CISOs and foster a more robust partnership.  

 

  1. Ensure adequate protection for CISOs 

One of the fundamental ways boards can empower their CISOs is by ensuring they have the necessary protection and support. Directors should consider two key aspects:  

D&O insurance: Boards should ensure that CISOs are covered by the company Directors and Officers (D&O) insurance policy. This coverage provides financial protection for CISOs in the event of legal action. By providing D&O insurance coverage, boards demonstrate their commitment to supporting their CISOs and recognising the importance of, and inherent risk associated with, their position.  

Indemnification coverage: Boards may also consider providing CISOs with indemnification coverage through an indemnification agreement. These protect CISOs from personal liability and provide reassurance that they will be supported in legal challenges.  

 

  1. Establish regular board/CISO check-ins 

Often, leadership teams inadvertently isolate the CISO from board members. This can create a real or perceived barrier for CISOs to discuss risks and strategies directly with the board. To bridge the gap, it is crucial to establish regular communication channels between the board and the CISO.  

By explicitly granting permission and encouraging regular interactions, directors empower their CISOs to share their expertise, insights and concerns directly with the board. This engagement helps align the CISO’s priorities with the board’s objectives.  

 

  1. Set the tone internally and prioritise cybersecurity at board meetings 

Boards should set the tone internally and prioritise cybersecurity within the organisation. It is essential for boards to recognise that cybersecurity is not just an IT issue but a critical business matter. By emphasising the importance of cybersecurity at the board level, directors send a clear message to the entire organisation.  

Furthermore, boards should prioritise cybersecurity on the board agenda. Many board meetings face a similar challenge of time management, but boards can overcome this challenge by shifting certain work to committees, or dedicating time in the board agenda periodically; for example, a quarterly security review at the committee level and an annual security review at board level.  

 

  1. Encourage the GC to help the CISO deliver effective cybersecurity presentations 

Of course, boards must expect their CISOs to structure effective cyber presentations. To facilitate meaningful boardroom discussions, CISOs should shape their presentations to the board around specific themes and provide the relevant, contextualised data in the board’s language.  

The general counsel or chief legal officer has extensive experience here, which can help guide a CISO. The CISO should focus on four to five key questions or areas of concern – which the CISO and their main contact on the board should already be aligned on, thanks to their regular check-ins.  

 

  1. Jointly establish a materiality framework ahead of time 

Additionally, boards and CISOs should consider creating a materiality framework for cybersecurity incidents. By establishing agreed-upon criteria for disclosure purposes, both parties can assess the materiality of incidents before they occur. One best practice is to evaluate past incidents through this framework to see what would have been disclosable based on the agreed-upon criteria.  

In an era of increasing cyberthreats, boards must ensure that the mission-critical business function of cybersecurity is built into every layer of the organisation, starting with directors’ ability to fulfill their oversight responsibilities. By empowering their CISOs boards can strengthen their relationship and foster a culture of cybersecurity.  

Boards want to hear from their CISOs, and they need to hear from their CISOs. By empowering CISOs, directors can navigate the complex cybersecurity landscape more successfully.  

 

Find out how Diligent is empowering board members to stay ahead of their organisations cybersecurity reporting to ensure resilience here. 

White paper: https://www.diligentinstitute.com/report/cybersecurity-audit/

Author: Nithya Das, Chief Legal & Administrative Officer, Diligent 

 

Diligent is the leading GRC SaaS company, helping organisations connect governance, risk, compliance, audit and ESG in one consolidated view. 

Can you navigate the challenges of AI Regulation?

Next article