Organizations with cyber-committed CEOs and boards can better manage cyber-risk, better protect against cyberattacks, and better leverage cybersecurity for strategic opportunities.
Accenture has identified three industry-leading practices to help make a much-needed shift from a technology—and operations—focused reporting, to a more strategic debate that is business-relevant and focused on protecting the most important assets of the business:
- Capture the strategic picture of cybersecurity in the business.
- Speak the language of business impact in all cybersecurity communications.
- Build “muscle memory” for threat response at the CEO and board level.
The practices also address key findings from a recent Accenture research study of 2,000 security executives across 12 industries and 15 countries. The study showed surprisingly low levels of organizational cybersecurity competence.
Too many organizations struggle with making cybersecurity business-relevant, with only one-third of security executives rating their organizations as competent in monitoring business-relevant threats.
The majority of companies also have problems identifying, communicating, and preparing to defend against business-relevant threats. Only one in three organizations adequately identify threat targets, practice cyberattack scenarios, engage stakeholders, and have clear escalation paths for involving top-level management.
Helping to create cyber-committed CEOs and boards who are engaged, not just involved, with cybersecurity in the business leads to more effective risk management, threat response and overall cyber defense.
CISOs have a vital role to play as the catalyst for achieving this top-level engagement by making cybersecurity business-relevant to top management.
Better engagement and threat response readiness at the CEO and board level requires CISOs to become more strategic in their board communications and interactions.
Too many CISOs are focused on the operational picture of cybersecurity in the business—how many vulnerabilities, patches, or incidents. Their scorecards are overladen with volumetric data on compliance challenges or technology issues, diluting the significance of more strategic threats.
Too often, CISOs communicate in technical terms—encryption, identity access and management, end-of-life assets—rather than in business terms that draw a clear linkage to business impact.
Lost opportunities for CEO and board engagement also occur in connection with cyberattack preparation. Too few security organizations engage in crisis drill and practice, but even those that do seldom extend the involvement beyond the security team into the business and up to the C-suite.
CISOs can use three industry-leading practices as guiding principles to help ensure the business-relevance that creates cyber-committed CEOs and boards:
- Capture the strategic picture of cybersecurity in the business. Develop a strategic narrative around cybersecurity that captures four key components:
Speak the language of business impact in all cybersecurity communications. Take technical issues and elevate them to board-level business concerns and language. Deliberately draw clearer connections to the business impact of cyber metrics and cyber initiatives.
Build "Muscle Memory" for threat response at the CEO and board level. Recognize that an engaged CEO and board are a prepared CEO and board. There may be no better way to establish the business-relevance of cybersecurity than to engage the CEO and board hands-on in cybersecurity crisis drills, simulations and tabletop exercises.
- What are the threats to our most important lines of business—and how are they changing?
- What are we doing—and how effective is it?
- What are the strategic options and initiatives across our business—and what are we doing to manage the risks they pose?
- What are the remaining risks—and what do we need to do about them?
These practices enable and cultivate leaders who are informed, educated and engaged, and fully prepared to make the right risk management and investment decisions regarding cyber threats.