(clockwise) James Condon, Evan Roberts, Jamie Singer and Meredith Griffanti co-authored this article
(clockwise) James Condon, Evan Roberts, Jamie Singer and Meredith Griffanti co-authored this article.

Against a backdrop of economic uncertainty and the constant shadow of threat actors working to undermine company security, it’s clear that the role of Chief Information Security Officer and other equivalent information security roles are under more pressure than ever to demonstrate resilience, preparedness and response readiness, while addressing expectations from key internal and external stakeholders.

A new survey from FTI Consulting, Inc. reveals that this increased threat activity and a growing focus on companies’ governance and oversight of cybersecurity means that, more than ever, CISOs are having to present to boardrooms and executive leadership on cybersecurity preparedness. The survey revealed that 97 percent of CISOs have been asked to present to their boards in the next 12 months and are now faced with the challenge of articulating cybersecurity risks and opportunities to an engaged audience.

“CISO: Communications Redefined, Navigating the Journey from Control Room to Boardroom” was conducted online between June and July 2022, consisting of more than 100 CISOs at large companies with global operations to understand both the opportunities and challenges facing CISOs as they navigate this transition and heightened exposure.

The research explores the communications challenges facing CISOs and those in charge of information security and has revealed they need to more clearly communicate—both internally and externally—their role, leadership and management of cybersecurity.

This article is featured in O'Dwyer's Nov. '22 Technology PR Magazine
(view PDF version)

Among CISOs surveyed, 85 percent said that the prominence of cybersecurity on the board’s agenda has increased over the last 12 months, with 79 percent feeling heightened scrutiny from senior leadership over cybersecurity and data privacy preparedness has increased, followed by more requests from senior leadership to demonstrate the company’s cyber readiness plans and preparedness.

Naturally, scrutiny abounds from external sources too, especially from media. Over the last 12 months, CISOs claim the level of media scrutiny of their organization’s cybersecurity and data privacy preparedness has increased, potentially magnifying the impact of any cybersecurity failings or breaches into the public domain.

To ensure effective external stakeholder engagement on cybersecurity, CISOs must also be able to communicate effectively with internal stakeholders. However, the survey revealed that 58 percent claim to struggle with communicating technical language to senior leadership in a way that they can understand, and 82 percent of respondents claim that when they’re in front of the board, they feel pressure to make things sound better than they really are.

With this perceived communications gap between CISOs and senior leadership, many feel misunderstood, and 66 percent believe senior leadership struggles to fully understand their role within the organization.

88 percent of CISOs recognize the importance of having regular engagement with their board and senior leadership to ensure effective management of cyber risk and possibly support their professional development. Similarly, 91 percent of CISOs feel that reporting to the CEO would help them achieve greater success in their role.

When looking closer into this perceived communications gap, the disconnect is most strongly seen among Chief Financial Officers, of whom 64 percent of respondents believe don’t fully understand their role as CISO. This is a particular concern considering many CFOs are directly in charge of cybersecurity budgets, and if they don’t understand to what they’re allocating financial resources, these funds could be unjustly distributed to other business segments. This underscores the importance of CISOs to better communicate their role and their strategic importance to this audience in particular. The study results revealed that this misunderstanding is not solely among CFOs but also felt among chief compliance officer, chief marketing and chief human resources officers.

Despite growing awareness, over half of CISOs don’t believe their board and senior leadership are completely prepared for cyber risks and 63 percent feel that their concerns are not aligned with senior leadership priorities. In order to maximize boardroom engagement, CISOs need to be armed with the skills to communicate and translate cyber risks into core business risks. With incidents on the rise, communication between CISOs and their leadership is more critical than ever before.

The study highlights critical communications struggles amongst CISOs and their leadership teams, with many CISOs feeling they need practical support in translating technical matters into terms that will resonate with business leaders. Ultimately, a disconnect between the CISO and board and leadership priorities may negatively impact an organization’s ability to effectively prepare and respond to a cyber incident.

While 88 percent of CISOs surveyed have experienced a cyber incident in the last 12 months, 46 percent of the respondents claim these incidents weren’t mitigated quickly and continue to struggle to rebuild trust and confidence among leadership following the incident. 52 percent of CISOs claim that managing communications with internal and external stakeholders is the biggest challenge when responding to an incident, potentially leaving companies exposed to a possible incident or regulatory sanction.

Closing the communications disconnect with senior leadership on cyber risks, priorities and preparedness remains critical to an organization’s cybersecurity. Ultimately, the CISO role is evolving, with many CISOs needing help navigating this transition. As the CISO gets closer to the board, they will need to speak the language of the boardroom and arm leaders with the necessary information to make appropriate risk decisions. 91 percent state that communications training and coaching on presenting to boards is key to helping them make the transition.

***

James Condon is Senior Director, Digital & Insights, at FTI Consulting. Meredith Griffanti, Evan Roberts and Jamie Singer are co-Heads of Cybersecurity and Data Privacy Communications at FTI Consulting.