CISO and Board Member Disconnect

The disconnect between security leaders and board members has been a hot topic for years. But alas, here we are once again discussing the challenges that the board has in understanding the domain of cybersecurity, and the trouble some security leaders have in discerning how security applies to running a profitable business.

But why haven’t security leaders stepped up their game to “speak the language of the board,” and how come board members haven’t brushed up on their ins and outs of security and risk department within their organization? One recent study has attempted to offer a rare window into the topic.

In a series of interviews with 80 different board members and security leaders, Wade Baker, co-founder, and partner at the Cyentia Institute, learned how each individual viewed progress and setbacks in their oversight of cyber risk.

“The CISO's view of the board differs highly on that CISO's background,” Baker told InfoSec Insider. “Whether they’re technical, whether they come over from IT, or if they’re a project manager type. That’s a major difference maker, and also the type of organization it is.”

Naturally, board members have a much different view. When it comes to CISOs, Yong-Gon Chon, CEO at Focal Point Data Risk, who sponsored the study, said that board members view them as the individuals whose primary responsibility is to protect the organization from data breaches. Seems pretty cut and dry, and that’s because it is.

“The CEOs of organizations, as well as CISOs, share in common the idea that they only get credit when things are going wrong. So no different than when the lights are on in a building…they don’t want to think about the security of their data. They want to be able to enable their business in such a way that allows them to focus on growing the business.”

In the video interview below, InfoSec Insider caught up with Baker and Chon on the findings of their recent study, where the real disconnect between CISOs and board members comes from, and most importantly, what each side to can do to collaborate successfully when it comes to managing cyber risk.


Interested in learning more about this topic? Mark your calendars for March 19 as InfoSec World 2018 kicks off in Orlando, Florida!