Opening the lines of communication between CISOs and the board

Opening the lines of communication between CISOs and the board

As the threat landscape widens, CISOs and the board must work closely and effectively to ensure they remain focused on the same goal: building a company-wide security culture and protecting their people and data. Andrew Rose, Resident CISO, Proofpoint, says that while it’s encouraging to see that cybersecurity is finally a focus of conversations across boardrooms, boards still have a long way to go in understanding the threat landscape and the role of the CISO.

Andrew Rose, Resident CISO

As the threat landscape continues to widen, what challenges have CISOs been faced with over the last year and what tools are they using to tackle these?  

There’s no question that organisations have experienced widespread cybersecurity challenges in the past year. While conventional and well-known threats such as email phishing and ransomware remain successful, many threat actors are shifting to newer techniques to increase their chances of a successful cyberattack.

But whatever the tactic, most attacks shared a common trait – they were squarely targeted at people rather than infrastructure.

Ransomware attacks increased significantly across the globe last year, with email still commonly used as the point of entry. Meanwhile, another people-focused threat, email phishing, was the most common type of attack, with 84% of organisations experiencing at least one successful email-based phishing attack in 2022.

There were these newer techniques too – such as telephone-oriented attack delivery (TOAD) and adversary-in-the-middle (AitM) phishing proxies that bypass Multi-Factor Authentication (MFA). These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale.

With so many common threats requiring human interaction, the modern cybercriminal no longer needs to hack into an organisation. Much of the time, once they’ve gained the foothold they require, they can simply log in.

Today’s threats focus on the weaponisation of trust and use email as the major attack delivery platform. To address this, companies need a threat protection solution that will protect their people using controls that are right for their role and circumstance and enable a simple and automated response throughout the attack life cycle.

Why does a disconnect between CISOs and the wider board exist and how should they work together collaboratively to build a strong cybersecurity culture across the organisation?

There are several factors disrupting the CISO’s presence at the table – for one, our language of risk is new to the boardroom. Finance has been reporting and pitching financial risk to executives for years; theirs is a business function with established models, nomenclature and metrics each board member understands. 

The same cannot be said of cybersecurity. Few outside our sphere are familiar with the basics, let alone the ever-changing threats and detailed knowledge required to defend a modern organisation. Our measurables are also less tangible than other business functions – protecting an organisation is not an exact science, we are not always able to offer reassuring, black-and-white answers. Similarly, risk positions can change overnight as a new vulnerability can mean what was secure is now vulnerable. 

As few board members are experienced in cybersecurity, we are also required to translate these answers into layman’s terms, which can serve to downplay the importance of the issue and the complexity of the solutions.  

We recently conducted a survey into this topic regarding CISOs and their boards. We surveyed 600 board members from organisations of 5,000+ employees, seeking to understand their sentiment, vis-a-vis cybersecurity, but also how they engage with their CISO – what did they value most in the CISO, etc. Over half (65%) of board members felt their organisation was at risk of a material attack, but only 48% of CISOs felt the same. This shows that board members are more worried about cyberthreats than CISOs and that could be the result of a larger disconnect. Indeed, while 69% of board members say they see eye-to-eye with their chief cybersecurity experts, only 51% of CISOs say the same about their board members.

Bridging the disconnect is vital. CISOs and the wider board need open lines of communication. But often, boards are relentlessly focused on the bottom line and CISOs mired in technical language. Over time, business-first, tactical communications and solutions can lead to muddled perceptions and misaligned priorities.

Cybersecurity has a voice in the boardroom, but it must now push to become more than a 15-minute session each quarter. It needs to establish itself as a core component of every business decision, to the extent that the CISO sits alongside the CEO, COO and CIO and doesn’t leave the room once the security session is done.

To what extent do you feel boards understand the CISO’s responsibilities and grasp the severity of combatting cyberthreats?

Our recent report, Cybersecurity: The 2022 Board Perspective report, revealed that cybersecurity is in fact dominant on the agendas of boards globally. A fairly large percentage (77%) of participants agree cybersecurity is a top priority for their board and 76% discuss the topic at least monthly. Consequently, 75% believe their boards clearly understand the systemic risks their organisations face and 76% assert they’ve made adequate investments in cybersecurity.

But this optimism may be misplaced. Our report found that nearly two-thirds (65%) of board members believe their organisation is at risk of material cyberattack in the next 12 months and almost half (47%) feel their organisation is unprepared to cope with a targeted attack. Only two-thirds of board members view human error as their biggest cyber-vulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.

While it’s encouraging to see that cybersecurity is finally a focus of conversations across boardrooms, boards still have a long way to go in understanding the threat landscape and the role the CISO has in preparing their organisations for material cyberattacks.

Our data also shows that the traits most desired of the CISO by their boards differ depending on location and industry. But in general, board members reported that they most value cybersecurity experience (49%), technical expertise (44%) and risk management (38%). These findings suggest a heavy focus on protection over resilience. Technical expertise is, of course, an essential requirement when making technology purchasing decisions. But when it comes to keeping an organisation operational in the face of a cyberattack, CISOs also require a broader understanding of business management. Elevating board member expectations of the CISO could help build more meaningful, business-focused relationships and weave cybersecurity and resilience into every business decision.

Board members rate email fraud and BEC as their top concerns (41%), followed by cloud account compromise (37%) and ransomware (32%). How should CISOs prioritise these concerns as part of their security strategy and how can businesses be better equipped to deal with these threats?

The good news here is that – broadly speaking – the top concerns from the board track closely with the concerns of CISOs, who also rank email fraud/Business Email Compromise (BEC) and cloud account compromise as top concerns (along with insider threats and DDoS attacks).

Most of these threats involve email, and board members and CISOs alike are rightfully worried about them. Not only is email the number one threat vector for most cyberattacks, but it is also the area with most scope for human error. No email protection is 100% failsafe. Some threats will reach the inbox; when they do, people form the next line of defence. Unfortunately, just one errant click, rushed reply, or malicious download can have severe consequences for an organisation.

Because of that, we can’t rely solely on technical controls, we must have a strategy that encompasses people, process and technology.

Security is a shared responsibility. We must empower people, at all levels within our organisations, to understand security and the risky behaviours that can lead to breaches. Training and awareness programmes are crucial, but one size does not fit all. Make sure your programme is from the perspective of the user – make it relevant to their work and personal lives.

Over 99% of cyberthreats require human interaction to be successful. When your people are that vital to an attack, they need to be a vital part of your defence. Cybercriminals spend day and night trying to penetrate your networks, systems and data. The least we can do is make them work a little harder. 

Many see information protection as an area in need of bolstering – What approach can companies take to improve their information protection capabilities?

In our digital-first economy, data is the new currency — and it is growing in value for organisations, their customers and threat actors. The ongoing digitisation of processes and the commercialisation of data are also receiving increased attention from regulators, many of whom are pushing for more privacy protections. Information protection is a concern for CISOs and boards of directors across the globe, so creating a robust data governance programme has become a top priority for everyone. 

Data loss, which can result from both external compromise and insider threats, has always been a serious security issue. But in modern business settings, the challenge has become even more complicated and acute. In 2022, the global average total cost of a data breach reached an all-time high of US$4.35 million, according to IBM Security’s Cost of a Data Breach Report. The report states that remote work is partly responsible for these rising costs, finding a ‘strong correlation’ between remote work and the cost of data breaches. Breaches, where remote work was a factor, cost US$1 million more on average. 

With this dispersed workforce, traditional data loss prevention (DLP) approaches aren’t up to the task. A modern approach to DLP offers a consolidated, easy-to-manage solution that works across all the tools people use — email, the cloud, endpoints, the web and file shares. And it uses a cloud-based architecture that is easy to deploy, offers privacy and security by design, easily scales up and integrates with a broader security ecosystem.

How do you see the top-rated CISO priorities – improving information protection; cybersecurity awareness; and consolidating and outsourcing security solutions and controls – evolving in the future for the board and CISO?  

Cybercriminals will continue to shift their tactics and look for ways to circumvent security tools and technologies. No matter their approach, one thing remains the same – they are targeting people with social engineering efforts.

Threat actors realise that it’s more effective (and cheaper) to steal credentials and log in, than trying to hack through technical controls. Once they have siphoned access details from just one, single employee, they move laterally, stealing even more credentials, compromising servers and endpoints, and downloading sensitive organisational data – it’s now far too easy for an attacker to turn one compromised identity into an organisation-wide ransomware incident or data breach. This is why it’s crucial for CISOs to continue to focus on the importance of building a company-wide security culture.

In terms of outsourcing, as complexity in our environments continues to increase and the cyber-staffing crisis continues, there is the temptation to want to take steps to reduce both the resource drain on security teams by consolidating and outsourcing risk. In fact, 58% of UK CISOs admitted to recently outsourcing key controls to managed services providers.  

However, fully outsourcing key functions to third parties exposes the business in new ways and ultimately, no matter which security controls or procedures are outsourced, effectively or not, when it comes to a successful data breach, the organisation and its security team/CISO remain accountable. 

To stay resilient in today’s threat landscape, with the ongoing staffing challenges, it’s almost essential for organisations to partner up and collaborate with third-partner technology and service providers to build a robust cybersecurity posture that helps protect its people and defend critical data.

What do you perceive to be the biggest cybersecurity threats for organisations over the next 12 months and what strategic initiatives do you have in place to prepare?

As we look ahead to next year, CISOs and boards should prepare to face even bigger demands, especially as geopolitical tensions escalate, the global economy grows more volatile and workforce challenges continue. 

The 2023 predictions from Proofpoint’s CISO team reinforce that CISOs and boards need to ensure they are prepared for global pressures which will exacerbate systemic risk, as the economic downturn and physical conflicts will create ripple effects throughout the entire ecosystem.

There is also the commercialisation of hacking tools on the Dark Web which will have an increase on cybercrime, further lowering the skill level for entry. Plus, deepfake technology will play a more prominent role in cyberattacks, increasing the risk of identity fraud, financial deception and disinformation.

We will also continue to see threat actors finding ways to bypass security tools. For example, we are seeing a new cat-and-mouse game with regard to authentication: as more organisations add MFA as a security layer, more cyberattackers are pivoting to exploit MFA weaknesses and MFA fatigue among users. 

With the cyberthreat landscape constantly evolving, it is important for both the board and CISO to keep abreast with how threat actors are pivoting their attacks in order to protect their people and data.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive