The Cost Of Inaction
The Cost of Inaction A CISO’s guide for getting boards of directors to invest in cybersecurity As a CISO, nobody understands the security risks that your organisation faces better than you. You’ve got the technical expertise to deeply appreciate current threats and how they stack up against your organisation’s vulnerabilities. And you’re keenly aware that the average cost of a breach keeps climbing, hitting an all-time high of USD 4.35 million in 2022. But you also know how these risks fit in with broader business crosswinds. You’ve learned how to work in the face of economic uncertainty, the pressure to do more with less and a talent shortage that’s pushed you to upskill and reskill. Amidst all these challenges, cybersecurity has taken on a new urgency – even among corporate boards. As a result, CISOs have found wider access and influence in organisations (with some even taking on CIO roles), and many are under pressure to pitch their boards directly for needed cybersecurity investments. So how do you make a strong case? Your board has the power to set priorities that can put your organisation on sound security footing. But just under 2% of board members on average have any relevant, recent experience in cybersecurity. And many board members don’t feel confident about IT and security oversight, or they have ambivalent views on the board’s role regarding security. The good news is that there's huge potential for getting buy-in on security investments from most boards. The top priorities of a typical board – around risk, reputation and financial stability – align strongly and organically with successful security outcomes. If you can connect the dots between those priorities and outcomes, you’re well on your way to making a strong, ROI-focused pitch. This guide will help you develop the right context and approach, by showing you how to: • Think like a board member • Speak like a board member • Use real-life examples to make risks relatable and relevant Less than 2% of board members on average have any relevant, recent experience in cybersecurity.
Your board may be more attuned to security than you know. Think like a board member The Cost of Inaction
Security is now coming up in board conversations more frequently than ever. Over two-thirds of boards say they now discuss cybersecurity regularly or constantly, and 77% of board members believe that cybersecurity is a top priority for their board. And while cybersecurity experience may be rare among board members, overall technology experience has become more common. At leading companies, 79% of boards have at least one member with a technology background – and at 72% of those companies, technology leaders frequently engage with board directors outside of board meetings. That’s all promising for CISOs. It’s still a safe bet, though, to talk less about technology and more about the big picture of enterprise risk and reputation management. Regardless of technical expertise, every board member can comfortably discuss and think about risk, whether that’s finding the right level of risk tolerance or evaluating risk management plans. Cybersecurity is about taking the right risks, not choosing the right technology.” As you’re getting into the mindset of your board, start by building consensus around your organisation’s current state: • What do board members consider your most important assets? Is it your customer data, company IP, your brand or something else? • What do they think are the most threatening risks? • What are the organisation’s most pressing priorities? • What objectives does the business need to achieve, and how can your security program help enable them? Grounding the discussion in these fundamentals creates the right perspective. You can help your board understand that cybersecurity is about taking the right risks, not choosing the right technology. The Cost of Inaction
