COMMENTARY: CISOs who have spent time discussing cybersecurity with company board members have probably noted a costly pattern: boards increasingly divert budget toward initiatives to respond to the latest industry buzzwords rather than focusing on the cyber defenses that truly matter.Resources are absorbed as copious amounts of time, effort, and money are spent evaluating overhyped products and tools, often without understanding their actual value.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Ultimately, it will rest on CISOs to help board members stay focused by helping them understand what products they need to evaluate and prioritize to genuinely address their organization’s needs, rather than chasing what’s generating the most buzz.Take, for example, the rise of ransomware as a headline-grabbing issue. Like everyone else, board members have seen the headlines highlighting the dangers and even existential risk such attacks present.But for most board members, discussions of ransomware fall into the category of what I would call “locker room talk.” Rather than spending the time necessary to technically understand the issues involved and help give proper guidance to the C-suite and below, they usually just call on the CISO to conduct an assessment that’s deep enough to make them feel warm and fuzzy about their organization’s levels of protection.And that's the end of it.While this may sound innocuous, the harm it causes isn’t. By directing the CISO’s organization to chase buzzwords, it takes attention away from other priorities. Perhaps the organization had been working towards stronger multi-factor authentication (MFA). Maybe they were working on training vendors on some of their security operations center (SOC) products to improve threat detection. Maybe they had other assessments planned and funds carved out for what now has to go to randomly pursuing a ransomware assessment that just popped up.Ironically, if the organization was already prioritizing fundamentals like strong MFA, endpoint visibility, and a capable SOC, they wouldn’t need to worry about ransomware attacks – which don’t differ substantially from other types of cyberattacks in terms of prevention or protection.So what should CISOs tell board members about security to dispel their “chase the buzzword” mindset? The solution focuses mainly on experience and communication. CISOs should do the following:By focusing on communicating to board members a deep – and not superficial – understanding of the threats organizations face from highly-publicized attacks, CISOs can prioritize substance over signal and more effectively protect their organizations.Jon David, co-founder and managing director, NR LabsSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Clearly communicate to board members the actions the organization must prioritize to address threats: If an organization lacks a deep understanding of the underlying threats of issues like ransomware, they will be unable to prioritize the actions needed to address them or even understand what a proper assessment should look like. CISOs should explain to the board what happened related to previous similar breaches relevant to their specific industries to understand who the likely attackers are, what those attacks look like, how the response should proceed and how to perform detection and protection assessments at each step of the response.
- Work with experienced partners: Often, internal teams lack the incident response history to adequately convey to their board members the correct points. So when doing assessments, CISOs must engage with partner organizations that have vast experience along those lines. By working with companies with a long track record working on incident response, CISOs will obtain more valuable results. Those partners can share the firsthand knowledge gleaned through their past work responding to major breaches.
- Encourage board members to embrace AI: When news broke about the potential threats associated with Anthropic Mythos, we heard widespread alarm bells going off in boardrooms across the country. What might have been overlooked in the ensuing panic is the value that AI will bring to threat assessments. What makes AI unique for threat assessment? We can train it to discover vulnerabilities compared to previous assessment methods that lack the layered complexities that AI has to do that type of analysis. It’s likely we'll see much better source code reviews with properly trained AI models that will help equip organizations with the tools they need to discover vulnerabilities more effectively.
