Knocking on the Boardroom Door

New research examines CISOs and the Quest for Legitimacy

Anthony Vance researches how to help individuals and organizations improve their cybersecurity practices. Photo courtesy of Anthony Vance.

One of the most important aspects of my work is helping CISOs with what I like to call “the invisibility problem.” Many talented, hardworking CISOs try to do the right things to be seen: they present at quarterly board meetings and send their executive team regular updates about the security program. While these actions may check the boxes with their management and the Board, I don’t believe they are enough to build the credibility and visibility CISOs need to succeed - and obtain the resources required to protect an organization in a world of ever-expanding risk.

So I was pretty excited when I learned that someone was studying this issue through the lens of academic research.  Anthony Vance, the Director of Pamplin Integrated Security at the Pamplin College of Business at Virginia Tech, who specializes in cybersecurity, and his team recently conducted in-depth research into this topic.  I sat down with Anthony to dig into his findings. 

You’re invited to join a virtual deep dive conversation with Anthony and ask him your own questions on December 8, 2022 at 4-5pm ET. Register at our events page: discernibleinc.com/events/ciso-legitimacy-boardroom

Why did you want to focus your research on CISOs and legitimacy?

When I looked at security breaches over the years, I was interested in the fundamental causes of these incidents. One common element I discovered is the lack of attention paid to cybersecurity by the executive team and board of directors, and their interaction (or non-interaction) with the CISO. In my field, there is little-to-no research on this dynamic.  There are a lot of platitudes like leadership setting the “tone at the top.”  At the same time, we have the SEC saying in 2018 that the board must take ownership of cybersecurity risks, and this year proposing that public boards must explain how often they engage with their CISOs.  So that’s what piqued my interest. 

Tell me more about the SEC requirements.

As of 2018, the SEC has offered guidance that boards should state in their annual proxy statement to shareholders how they are managing cybersecurity risk.  In 2022 the SEC is taking it further with a proposed rule (inspired by the New York Department of Financial Services’ cybersecurity rules) which would require boards to state in their proxy statement (1) whether the company has a CISO, (2) to whom the CISO reports, (3) qualifications of the CISO, and (4) how frequently the CISO reports to the board. The SEC is also proposing that boards state whether someone with cybersecurity expertise serves on the board and what that expertise entails. So regulatory pressure is increasing, which can help drive more conversation between CISOs and their board members.

How did you research this dynamic?

We wanted to answer the question, “What inhibits or facilitates CISO’s legitimacy in the eyes of the board and C- suite executives?” We wanted to look at the question from both the board’s point of view and the CISOs’ perspective. So far we have conducted in-depth interviews with 36 board members and CISOs at mid-to-large cap publicly held companies, as well as a few large privately held companies. We’ve also spoken with consultants who advise boards and CISOs about cybersecurity.

What did you discover?

Our preliminary findings indicate that CISOs often lack legitimacy in the eyes of the board of directors and the C-suite, and for CISOs this can be very frustrating.  Even though they are submitting reports and communicating with the board, it’s not enough.  Some CISOs said they submit a report to the board but never get any feedback. Instead, they get a brief “thank you.” Or they routinely get bumped from the regular board meeting agenda.  Which means the board is missing an opportunity to learn directly from CISOs about substantial security issues that pose the greatest risk to the organization.

The interviews were like a therapy session for some of the CISOs we spoke with because they were able to talk about the issues they struggle with every day. They want more engagement with the board and the executive team  but many are unclear how to do this more effectively.  

So how can they do that?  

In our research, the theme of the legitimacy of the CISO as perceived by the board and C-suite kept coming up, and that with increased legitimacy comes increased support and collaboration. We’ve found that this is a process as CISOs demonstrate to the board that they are a legitimate partner. 

In practical terms, this means a CISO must proactively engage with the board and be the main driver in building legitimacy. For example, one CISO told me that as soon as a new board member is appointed, he sets up a meeting with that person individually, outside of the regularly scheduled board meeting cycle, and briefs them about how the CISO can be a resource to them as a board member. This type of proactive engagement outside of board meetings is a common pattern that I see with the more successful CISOs.

How does this help increase legitimacy with the board?

It helps the board see the CISO as a resource to them and to the business beyond just reporting statistics.  Through “micro engagements” with the board, CISOs can show that they understand the company’s business priorities – which after all is the main focus of any board - and that the CISO has valuable input to share. As the board’s awareness of the CISO grows, their perception of the legitimacy of the CISO increases.  

And this leads to a virtuous cycle with tangible security program outcomes, like increased security budgets, support of the CISO’s initiatives, and facilitating communication between the CISO and C-suite. 

Another valuable outcome of this is that the board’s increased interactions with the CISO can cause the C-suite to engage with the CISO more. For example, one of CISO I spoke with said that because of their interactions with the board, “now the C-suite takes a little more interest in cybersecurity, because they’re getting asked questions by about cybersecurity by the board.” Now he meets regularly with the CEO and their direct reports. 

So we’re really seeing two virtual cycles of legitimacy: one with the board and one with the C-suite, in which increased legitimacy of the CISO in the eyes of the board leads to greater interaction with the C-suite, and in turn, increased legitimacy of the CISO in the eyes of the C-suite. 

What should CISOs take away from your research?

Proactively engaging the board may not come naturally.  In the typical career path for a CISO, they are not trained to build trust and negotiate with the board and executives.  It’s a missing skill.  Yet they need to understand that they can’t wait 12 months at a time to connect with these people. And it can’t be left to chance.  

Getting feedback and advice from other CISOs who are experienced in this can really help, as can professional coaching.

Will there be more research forthcoming from your team?

I have published an academic conference article about this topic and I have an article about the board’s perspective also in The Wall Street Journal now available here.

- - -

Discernible offers a suite of executive-level security communications coaching, which covers relationship building, strategic c-suite and board engagements, reporting, and reputation management. Learn more about our services at discernibleinc.com/our-services.

Sign up for our monthly newsletter for more insights on security communications!

https://discernibleinc.com/newsletter-signup

Previous
Previous

Don’t Get Stuck in Conflict: Communication Techniques for InfoSec and Privacy Teams

Next
Next

📬 Mailbag: How should brands talk about security threats from abroad without sounding xenophobic?