Episode 55

How Informed is the Board of Directors on Cybersecurity Risks?

With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey 'What Directors Think,' board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member, sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance?


Time Stamps

00:02 -- Introduction

03:06 -- Kayne McGladrey's professional highlights

04:01 -- 2023 Global CISO Survey Findings -- Do the Board of Directors have the necessary expertise to provide cybersecurity governance oversight?

07:24 -- CISO and Board of Directors Relationship

14:22 -- Effectively Empowering the CISO

20:07 -- Reasons for Board of Directors' Lack of Involvement

26:35 -- Board Members Cybersecurity Education and Training

45:27 -- Final Thoughts

Memorable Kayne McGladrey Quotes/Statements

"Interestingly enough, fewer than half of the board members regularly interact with their CISOs. This is an indicator of a communication gap, and potential alignment issues between board members and CISOs, which is really hindering progress in cybersecurity."

"I know a lot of businesses still see cybersecurity as a cost center. They don't see it as a strategic advantage."

"I can think of a CISO who I was just chatting with at Blackhat this year, who turned down a job they matched on salary expectations. But, they matched on job expectations, and they matched culturally. They will be reporting as the CISO to the Director of IT, not to the CIO, not to the CEO, but they're going to report to some down-level director, and they wouldn't be offered directors and officers insurance either. So effectively, they'd only be a CISO in title and C-level executive in title only, but not in practice. They recognize they were being hired in as a scapegoat. I think that's a persistent problem that we've seen associated with how companies are recruiting CISOs."

"I think CISOs should ideally report to the CEO or another C-level executive like the chief operating officer or chief financial officer. And that really allows for a direct line of communications to the top-level management and that emphasizes and underscores the importance of cybersecurity and strategic decisions."

"Cyber risk is a business risk. Cyber is just an influence."

"Boards think in terms of business risks. CISOs, unfortunately, don't often communicate in terms of business risks. CISOs often communicate a technical risk, like a risk of ransomware, or the risks associated with generative AI; those aren't risks; that's driving the communications gap. Literally how we talk as CISOs is part of what causes a lack of oversight on the part of the board because the board doesn't understand what it is that they should actually care about. And so, they disengage."

"Don't go to the board and say I have a problem, because they're not there to solve your problem. They want to know what you're doing about the problem. Also, they want to know if it's going to materially affect the business, I think if you go there with a problem, a solution and a proposal, you're probably going to have a much better time."



Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publications:

Preventing Security Breaches Must Start at the Top

Mission Critical --How the American Cancer Society successfully and securely migrated to the cloud amid the pandemic

Latest Webinars:

How can brands rethink data security to maintain customer trust?

Cybersecurity Readiness in the Age of Generative AI and LLM

Insights for 2023, Cybersecurity Readiness with Dr. Dave Chatterjee

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.