Header image

Investors turn up the heat on CISOs

The pressure is on for CISOs to deliver at a strategic level, writes Rick Hemsley, partner, cyber, technology consulting, EY

Cybersecurity is a word that can induce fear and uncertainty in the boardroom. Too often, it’s seen as the blocker of innovation and the bearer of bad news.

Business leaders know cybersecurity is a matter they must take seriously. How to do this, however, is no simple task.

 Organisations often find themselves locked in endless cycles of incident response and security leaders don’t always have the resources to properly articulate the risks and threats in a way that is accessible to the rest of the executive team. This means leadership across the rest of the business may tune out, only concerning themselves when an incident happens.

In this article, we will explore why businesses are taking cybersecurity seriously, with investors expecting companies to have real cyber resilience. We will also look at how organisations can navigate cybersecurity issues at a strategic level and how cyber leaders will be at the core of business leadership.
Institutional investors are looking beyond the books
While the state of a company’s balance sheet will always be important to investors, an increasing number are looking beyond the numbers to take a more holistic view of a company’s economic resilience.
Many investors, particularly institutional ones, know poor cybersecurity practices carry great financial risks – both to the bottom line and the share price. This can also have a major impact when it comes to mergers and acquisitions, with several notable examples well-documented in the press.
Following a number of high-profile breaches, and the regulatory fines regimes that have been introduced, investors are increasingly expressing their concern about companies’ abilities to protect sensitive data such as customer information and financial records. As a result, investors are putting pressure on companies to allocate more resources to their cybersecurity operations.
Navigating cyber issues at the strategic level
Given investor pressure, it’s clear that cybersecurity should be a key issue for company boardrooms.
To navigate the world of cyber threats facing companies every day, businesses can take several actions. One of the most important is involving the CISO or external support in strategic decision making – making use of strategic cyber threat intelligence in the same way that organisations would make use of other market intelligence to inform their decisions. This can help build-in cybersecurity from the outset and develop true cyber resilience.
In addition, directors at board level can take the following actions:

•   Seek an overview of their organisation’s cybersecurity status through a variety of lenses, such as a relevant dashboard or report card.

•   Regularly review the relevance of their cybersecurity policies and ensure they are kept up-to-date.

•   Collaborate with external organisations such as cybersecurity experts and law
enforcement agencies, or even competitors, to share information and best practices.

•   Prioritise incident response planning to cybersecurity breaches.
It’s also important for companies to educate and promote cyber awareness among their first line of defence – their employees. Taking these simple actions can help companies protect themselves, and their shareholders.
Cyber leaders at the core of business
Investor pressure is changing the perception of cybersecurity from something that business leaders may be hesitant to hear about, to becoming a crucial part of their leadership.
Therefore, the CISO role will need to evolve to better support businesses, their boards and ultimately the organisations’ investors.
Institutional investors are increasingly pushing for more transparency about a company’s cybersecurity practices and for the appointment of board members with cybersecurity expertise. This helps ensure a company can protect itself and its stakeholders from threats and puts cybersecurity at the heart of business leadership.
But to ensure they can step up to the boardroom and make a real impact in an organisation, cyber leaders need to understand business language and business outcomes, as well as the ‘bits and bytes’ of the IT and cybersecurity world."

Upcoming Events

No events found.