[BreachExchange] Why Companies Need CISOs and CIOs as Board Members

[Destry Winant]

https://www.securityweek.com/why-companies-need-cisos-and-cios-board-members

Diversity Not Only Includes Gender and Racial Diversity, But Also
Diversity of Thought

We’ve all heard the phrase “every company is a technology company.”
Today, that’s truer than ever. As companies started to realize the
business value digital transformation unlocks in terms of operations
efficiency, performance, and quality of services, they began opening
new connectivity vectors to enterprise infrastructure and collecting
data from machinery and processes and storing and analyzing it in the
cloud. Others have progressed even further with devices on the edge or
robots in warehouses and on factory floors that monitor, manage, and
execute processes leveraging the power of machine learning and
artificial intelligence.

Digital transformation has been good for business and is here to stay.
The COVID crisis has underscored this reality by accelerating
transformation and introducing change to everything – from how we
communicate and collaborate to how our infrastructure is organized –
resulting in huge shifts in business and operating models. It’s why
we’ve seen Zoom soar to a $129 billion market cap, and the CEO of
Microsoft stating that they’ve seen two years’ worth of digital
transformation in two months.

Obviously, the biggest changes and opportunities are for the
infrastructure companies themselves. But even companies in sectors
like manufacturing that had begun to embrace digital transformation
initiatives around the cloud, SaaS applications, and secure remote
access, were able to pivot faster for competitive advantage. They had
already started thinking about cybersecurity as an enabling factor in
an expanding and open environment, where IT and operational technology
(OT) network convergence is inevitable. Guided by strong technology
leaders, IT and OT teams have been able to support dramatic changes to
the workplace – sometimes overnight – with data and processes secured.

As digital transformation and cybersecurity become pillars that
successful companies will build their futures on, the time has come to
include CISOs and CIOs on company boards. It’s no secret that
diversity is a hot topic these days. However, diversity not only
includes gender and racial diversity, but also diversity of thought.
Technology expertise is especially lacking at the board level. In
fact, a new report (PDF) finds that in 2019, approximately 70% of new
independent directors came from CEO, operating or senior finance
experience, with no mention of technology experience representation.
As the discussion on risk and security is heightened and becomes more
complex, organizations must look towards a future that includes
technology experts on their boards.

The value CISOs and CIOs bring to the table

Depending on how far companies were on their digital transformation
journey prior to the pandemic, they either saw the benefits or
experienced the pain of transitioning to a remote work model. Now that
the initial rush to support a shift to a more distributed model is
behind us, companies have an opportunity to do two things: 1) pause
and consider what work still needs to be done to further resiliency,
and 2) plan how to move further along their digital transformation
journey securely, to continue to drive competitive advantage and
emerge stronger from the global pandemic.

Risk is an essential part of any executive decision. But as
enterprises adapt to their current state and initiate new digital
transformation projects, many are finding that accurately identifying
risk – much less reducing it – is exceedingly complex, particularly in
industrial environments. Boards need to include CISOs and CIOs at the
helm of their leadership who can provide advice on moving forward with
digital change initiatives and help companies prepare for the future.
As board members, CISOs and CIOs can explain how changes to the
infrastructure can increase growth and reduce risk, as well explain
the organization’s risk posture, including exposure from new
initiatives and the relative impact of potential breach scenarios, and
what can be done to mitigate risk. They can also elevate the
conversation to ensure understanding, more informed decision-making,
and total business alignment, which is especially crucial during a
crisis when companies need to move even faster.

When boards lack the CISO and CIO perspective, various scenarios can
play out. In some cases, we see complacency where some boards feel
they’ve done enough. The immediate urgency has passed, and they plan
to continue with the status quo until life “returns to normal.” In
other cases, boards have been stymied from making important strategic
decisions because they lack the background to understand the full
extent of opportunities for digital transformation. They gained an
appreciation for what is possible over the last six months and saw the
positive impact on the bottom line, but don’t know how to move
forward.

These situations are problematic for several reasons. I’ll just name a few:

1. In the rush to support productivity and keep the business moving,
most teams didn’t have the luxury to account for failure. It’s time to
focus on maximizing resiliency.

2. No one knows what “normal” will look like. What we do know is that
disruptions are inevitable and successful companies will be those that
remain agile.

3. All critical infrastructure sectors are facing heightened threats
as adversaries take advantage of an expanding attack surface and
legacy devices, never designed for internet connectivity, now being
connected. There’s urgent work to be done to reduce exposure.

4. Boards likely would have embraced digital transformation sooner had
they had the benefit of the expertise, experience, and insights that
CIOs and CISOs can provide. Companies can ill afford to put digital
initiatives on the backburner any longer. They must start rethinking
infrastructure and security.

A lack of technology experts on corporate boards is exposing companies
to unnecessary business risk and slowing down progress. Now is the
time to strengthen resiliency, plan for additional digital
initiatives, and begin executing on them. The global pandemic will
have lasting effects on how we work and live. We need to make lasting
changes to the makeup of boards so we can weather this crisis and
future disruptions with better business outcomes and mitigated risk.