A SECtember Refrain: CxOs Need Help Educating Their Boards
Published 10/26/2022
The concerns and challenges discussed during this September’s SECtember Conference and adjoining CxO Trust Summit ran the gamut. However, one refrain focused on chief information security officers’ need for more help and guidance on messaging cybersecurity problems, required security controls, and overall strategy to the board and their executive peers.
Messaging Cybersecurity to the Board
For many of us who have been in the cybersecurity industry for some years, the topic of effectively discussing the organization’s cybersecurity resilience posture to the board and wider C-Suite is nothing new. Google “messaging cybersecurity to the board” and you’ll find advice columns going back to maybe 2010. However, times have changed.
With widespread cyberattacks resulting in massive data breaches, supply chain worries, increasing compliance mandates, and more companies relying on multiple cloud services, cybersecurity requirements now call for senior executives and board members to understand and support cybersecurity and risk management strategies in demonstrable ways. And let’s not forget the far-reaching implications of misinformation and disinformation campaigns that could see targeted corporations’ values dropping or nation-state attacks directly hitting specific private and public entities. The need for all CxOs and executive boards to be simpatico about their cybersecurity and resilience postures is becoming that much more palpable.
Moves by Regulatory Bodies
Regulatory bodies navigating this fast-changing environment are looking to drive this board- and C-level obligation home. For example, the U.S. Securities and Exchange Commission (SEC) is proposing new requirements that would see risk reporting and cybersecurity resilience planning become a key area that demonstrates effective board governance.
As a result, the National Association of Corporate Directors (NACD) stated in a recent report undertaken in partnership with the the World Economic Forum that cybersecurity and risk management are board-level challenges. These challenges must be addressed proactively due to the various levels of financial impact to victimized companies. As such, the NACD recently launched a service based on an annual membership, the X-Analytics and NACD Cyber Risk-Reporting Service, to provide quarterly board reports that tie possible financial impacts to their cyber risk positions.
What We Can Do
Of course, there are a bevy of services available from both public and private organizations. Indeed, CSA members and the industry at large can take advantage of our Security, Trust, Assurance and Risk ecosystem to validate service providers’ cybersecurity stances specifically in the cloud.
As well, our current training programs give the foundational knowledge of cloud security to those who seek out the CCSK certification. More types of training offerings are imminent as well, from high-level, strategic training on implementing Zero Trust to micro-learning courses and table-top exercises (such as those held at many of our in-person CxO Trust Summits) to learn how to engage the rest of the C-Suite and educate the board. CSA has and will continue to offer impactful curriculum and training that addresses all things cloud – top-level executive down.
The world has changed. No longer can just the IT, cloud, or cybersecurity teams be responsible for safeguarding organizations’ fast-evolving infrastructures (now with cloud-service backbones). The wider C-Suite and executive boards have key roles to play. We talk about shared responsibility between cloud providers and their enterprise tenants often. But this responsibility to secure the growing cloud infrastructure on which we all rely goes well beyond that. As Google’s Phil Venables noted during his talk at SECtember, we’re now facing a “shared fate.” How we together confront the myriad cybersecurity challenges ahead can make that destiny stronger or weaker. Given all that we at CSA continue to develop, we’re optimistic that we can make it stronger.
Related Articles:
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
5 Best Practices for Executive Reporting
Published: 11/13/2024