Security Strategy, Plan, Budget, Identity, Leadership

Most non-executive directors lack confidence in cyber investments

Cyber Security Shield Digital Protection in Modern Boardroom.

(Adobe Stock)

Nine in 10 non-executive directors (NEDs) — people who sit on boards but are not involved in day-to-day operations — lack a measure of confidence in cybersecurity’s value, according to a Nov. 24 study from research and advisory firm Gartner.

Only 10% of NEDs express strong confidence in the value of cybersecurity investments or initiatives, saying they have the right balance of protection and cost.

“Boards often struggle to connect cybersecurity investments to real business outcomes,” said Kristin Moyer, a distinguished VP analyst at Gartner. “Dashboards and compliance updates can confuse rather than reassure, leaving NEDs uncertain about whether their organization is truly more secure.”

The lesson: CISOs must do a better job explaining to the board how cybersecurity technology translates into business value.

“It's alarming that 90% of NEDs don't trust the value of cybersecurity,” said Damon Small, a board member at Xcape, Inc. “This highlights a communication breakdown, suggesting CISOs still use technical jargon instead of business-focused language. NEDs, responsible for strategy and oversight, need cybersecurity presented not as an IT expense, but as a crucial risk management and strategic enabler.”

Small said CISOs must create connections between technical risk and business, compliance, and legal risk. This transparency will facilitate quantifying cyber risk in dollars and equate it to potential lost revenue. In addition, Small said CISOs must evaluate critical assets and factor that cost into future technical and strategic decisions.

“NEDs are not questioning the importance of cybersecurity,” said Darren Guccione, co-founder and CEO at Keeper Security. “They want a clearer view of how security decisions influence the business. When conversations are dominated by technical detail, it becomes difficult for them to link risks or controls with the organization’s ability to operate and grow.”

Guccione said CISOs need to connect cybersecurity to business outcomes that boards care about: explain how different types of attacks disrupt operations, what those disruptions cost in practical terms, and how targeted investments reduce both exposure and impact.

“When NEDs can evaluate cybersecurity the same way they evaluate any other strategic risk, the discussion becomes clearer and confidence increases,” said Guccione.

One area that illustrates this connection especially well is identity related risk, said Guccione. Many incidents today begin with compromised identities, and the consequences show up immediately in business terms.

“When organizations strengthen how they manage credentials and privileged access, they reduce risk in a meaningful and measurable way,” said Gucciione.

Trey Ford, chief strategy and trust officer at Bugcrowd, added that CISOs have a challenge in briefing boards they see for 15 minutes two-to-four times a year. In those meetings, they’re briefing on cybersecurity investments, risk tradeoffs, and compliance, while providing an honest assessment of the tension between managing risk and dealing with untreated exposures and incidents.

“In most cases a board has four to eight hours of grueling quarterly meetings and the CISO shows up to brief them toward the very end of the day,” said Ford. “They’re exhausted, and digging into technical nuance that’s often well outside their domain of expertise. The magic happens when CISOs can move beyond risk treatment and shift the conversation into value creation, strategic and competitive differentiation, and represent the risk tradeoffs and investment decisions made by the risk committee — calibrating those decisions with the board’s fiduciary duty.”

Chad Cragle, chief information security officer at Deepwatch, said  CISOs need to move away from fear-based metrics and start telling business-aligned stories.

“Don’t just talk about how many threats were blocked, translate that into what it would’ve cost if one got through, how long it would’ve taken to recover, and how we compare to peers,” said Cragle. “Show how cyber accelerates go-to-market, protects revenue, preserves brand equity, and keeps regulators off the board’s radar.”

Cragle said if CISOs want NEDs to view cyber as strategic and not just a spend, then speak their language: talk in terms of risk, resilience, and ROI.

“When we stop making cybersecurity sound like a mystery and start making it sound like a competitive advantage — that’s when we stop presenting to the board — and start advising them.”

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBusiness Continuity Plan (BCP)BiometricsCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Cost Benefit AnalysisDigest AuthenticationDigital CertificateDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds