Thought Leadership

Jul 7, 2022

Do CISOs Belong in the Boardroom?

Understand the importance of cybersecurity representation on your board of directors, and learn effective tips for better CISO-to-board communication.

Less than 5% of CISOs currently sit on a corporate board of directors. The majority of them do at least present to their boards or subcommittees, but only at varying levels of infrequency. Given the current state of our geopolitical climate and the rising cyber threat, isn’t it about time for cybersecurity leaders to play a larger role in the executive decision-making process? 

Rich Baich is the former CISO for AIG and Wells Fargo and served on SafeBreach’s advisory board. He brought an invaluable range of cybersecurity leadership experience and expertise to our forward-looking business strategy and product roadmap—and also happens to know a thing or two about being effective in the boardroom. 

“Organizations are seeing more and more value with CISOs who are highly technical but also spending the time to understand the business and mission of the organization so they can actually help make the best decisions,” said Rich in a recent appearance on the Cybercrime Magazine podcast.  

Rich believes the most successful CISOs are the ones who:

  • Know what information to get
  • Get that information in a timely fashion
  • And present it so senior leadership can make the best decisions possible—based on the facts

Truth to the Board

What is the board’s responsibility when it comes to cybersecurity? The primary focus of a board of directors should be on governance. Ethics, risk management, compliance, and administration are all key elements of good governance, and cybersecurity certainly plays a vital role in each of those areas in today’s modern business environment.

So, whether or not a CISO has an official seat at the table, they should at least be invited to present with some regularity before the board. Once they’re in the door, it is then the job of the CISO to provide their executive stakeholders with the information they need to understand how effective their cybersecurity program is from that governance perspective. And this depends first on clear, consistent measurement. 

“An organization decides what level of security they get by the culture they embrace as it relates to risk management associated with their information security and cyber domains,” said Rich. “What I’ve found to be very valuable is using simulation—whether that be attack simulation or risk simulation—that allows me to say, ‘If I take these actions, what happens?’”

Data-driven technology enriched with real-world threat intelligence is critical to creating a board-friendly framework or reporting package on the maturation of a cybersecurity program. When CISOs understand their environment and assets well enough, they can take all known vulnerabilities and threats and run breach and attack simulation (BAS) scenarios to determine the probability of their organization falling victim to any given attack versus what they’re able to defend against.  

The Critical CISO

Cybersecurity is no longer an afterthought, and boards need to understand the full impact of cyber risk to their business. The role of the CISO has matured greatly over the past several years, but so have the bad actors—especially malicious nation states with a tremendous amount of resources to develop new attacks. 

Despite all the challenges facing the role, Rich said, “I’m still excited about the CISO role. I encourage people to strive to become CISOs because it is a rewarding job, especially if you have a mission and passion behind what you’re doing.”

The modern enterprise CISO is in the unique—and critical—position to model their organization’s risks, proactively help put plans in place to mitigate the threats that may arise, and make it as difficult as possible for their organization to fall victim to an attack. No longer are CISOs viewed as the ones saying “You can’t do this.” Instead, they’re recognized for the value they provide in enabling their business stakeholders by asking: “How can we do this securely?”

To learn more, be sure to check out Rich’s full appearance on the Cybercrime Magazine podcast. If you’re interested in exploring how BAS technology can help demonstrate the effectiveness of your organization’s controls and quickly provide that information to the board, reach out to a SafeBreach expert today

Get the latest
research and news