Today the cybersecurity issue is universally critical across all industries. While the BFSI sector boasts of one of the strongest and most forward looking regulatory practices that formalize the board’s accountability around cybersecurity, we can see the trend gaining momentum in other industries as well. The cybersecurity incidents in recent years have left behind significant strategic, cross-functional, legal and financial implications, driving more active cybersecurity discussions in the boardrooms.
This has put onus on the CISOs to sensitize their boards and C-Suite on the cybersecurity hygiene and drive conversations around this issue in a manner that the board/management find relevant. Anuprita Daga, CISO, Reliance Capital, shares some key pointers for CISOs that can help them initiate impactful discussions, exercise greater influence and get easier buy-in from their boards/management on cybersecurity matters.
- Improve the board’s visibility into the cybersecurity risks. The CISO should share an honest risk profiling with the board and not try to shove the risks under the carpet for fear or apprehension of exposing and admitting to the company’s vulnerabilities. Today, the boards are much more aware and open in accepting that nobody is going to be spared from attacks, including their own organizations. If the CISO is not going to showcase the right risks, then the board is never going to know the risks and the right expectations are not going to be set.
- Explain the risks in a manner that the board can understand. To be able to clearly articulate the cybersecurity risks, the CISO should create a heat map that showcases where the risks are and then provide insights into how those risks translate into business risks.
- Align the risks to the company’s business priorities. Highlight the high risk areas according to, let’s say, the top 3 business priorities. Tell the board how these high risks are going to be addressed not in terms of technology but in business terms and how it will benefit the organization.
- Make hybrid teams, comprising of CEOs, CFOs, business function heads and CROs to generate more hybrid discussions, which in turn will generate a holistic view of cybersecurity’s impact across all functions. This will help drive more interest and active participation from the board.
- The boardroom discussions around cybersecurity are apt opportunities to get the board/management buy-in and sponsorship for the cybersecurity programs. In order to maximize these opportunities, the CISO should not only showcase the cybersecurity programs being undertaken but should also track their progress and highlight the resulting business impact.