The CISO as a catalyst for cyber awareness among boards of directors

Ransomware attacks, hackers shutting down competitors, the rise of hybrid work… Board members can no longer ignore reality. Cyber risks have gone from being a « business non-priority » to a regularly discussed topic in « comex ».

A study by Gartner predicts that by 2025, 40% of boards of directors will have a committee in charge of cybersecurity, or at least one of their members responsible for overseeing it. Until then, the CISO seems to be the best placed to address these issues within comex and other decision-making bodies.

The perception of cyber risk is still very varied

According to Antoine Bajolet, a member of Clusif and CISO of the Henner Group, a specialist in group social protection, the perception of the level of threat from boards of directors varies greatly from one company to another.

« The triggers for awareness can be very varied. It can be a security incident that affects the company or one of its colleagues, or even a supplier. It can also come from a crisis exercise or an auditor’s audit. Finally, it is sometimes thanks to the appetite of one of the members of the comex that things change, » he says.

For Paul Bayle, Head of Security and Group Chief Security Officer at Atos, Atos’ senior executives are very aware of this issue, as well as those of the company’s corporate clients.

« There has been a dramatic shift in the boardroom in the past three years, especially following the ransomware attacks that have been widely reported in the press. Companies have seen their competitors being attacked. This has had an impact on budgets and on the pressure on teams, » he notes.

The need for a clear mandate for the CISO

As the guarantor of cyber risk control in the company, the CISO’s main mission is to identify, manage and maintain this risk at a residual level accepted by his organization.

In order to achieve their objectives, they must first « understand the risks involved and be familiar with the different assets and needs of the company. Understanding the organization to which they belong is probably the main thing all CISOs have in common, » says Dalia Khader, CISO of SwissLife Luxembourg.

Paul Bayle fully agrees: « CISOs must understand their ecosystems and those of their competitors in order to strengthen their company’s security policy. They must carry out rigorous risk analyses and deduce the business impacts.

But a thorough understanding of the various issues facing the company is not enough. The organization’s culture also plays a key role. « The CISO can contribute to improving the situation, but he cannot change it alone and the issue must be addressed with the management’s involvement. Personally, I have not met a successful experience in the life of a CISO without them describing the support he or she received from the community at large, which is influenced by top management, » adds Dalia Khader.

CISO: what kind of participation in the comex?

The participation of the CISO in the executive committee is not systematic. It does if cybersecurity is a strategic activity for the company, in the same way as HR, commercial or financial issues, which may be the case for a cybersecurity software publisher, for example.

Most of the time, the issue is discussed several times a year, at frequencies that depend on the company and its organization. The CISO then comes to explain his roadmap on this or that aspect of his strategy to the members of the board of directors or the comex.

If the company is certified – ISO 27001 for example – the annual management review becomes an essential meeting to assess the entire cyber strategy implemented by the CISO.

For Xavier Daspre, Manager Sales Engineering France at Proofpoint, the CISO must speak to the board every month, even if only briefly. « The CISO only needs 10 minutes to describe the main trends and key figures, such as the geographical origins of attacks or the people and departments targeted. This allows him to establish the facts and anticipate the next steps, while insisting on the awareness actions organized in the company, » he notes.

Regardless of the pace at which the CISO interacts with the board of directors, one thing is certain: the support of this management body must be full and complete, without fail. When it comes to cybersecurity, it is not the responsibility of a single man or woman, but of all employees and managers, who have a role to play in setting an example and providing leadership.