Four Tips to Get Your Board's Buy-In to Invest in Cybersecurity

Over the past few years, Chief Information Security Officers (CISOs) and heads of cybersecurity have experienced increased pressure, and sometimes blame for cyber incidents.

According to the UK’s National Cyber Security Centre (NCSC), 80% of board members and security leaders are unsure of where accountability for cyber resides.

In any case, frontline defenders cannot fight cyber threats alone – cybersecurity must be a priority across the board.

However, CISOs sometimes find it hard to convince their boards to invest in robust cybersecurity measures. Board members often prioritise immediate financial returns over long-term security investments.

This was discussed during the Financial Times’ Cyber Resilience Summit: Europe in London on November 27, 2024.

The session gathered Naina Bhattacharya, Former Danone CISO; Peter Dalton, Partner for Cyber and Data Security at Herbert Smith Freehills; Jessica Figueras, Interim Chair of the UK Cyber Security Council’s Board of Trustees; and Co-Founder of nonprofit Cyber Governance for Boards (CxB) and Peter Lassig, Group CISO at Commerzbank AG.

Here are four expert tips to help you make a compelling case to your board.

Layering cyber governance through the creation of a cyber taskforce within the global company’s board is one step that can be effective.

Bhattacharya shared her experience at Danone, where she could benefit from a sub-committee within the board that they called the Cyber Board. This cyber-focused board was chaired by the company’s Chief Financial Officer (CFO). It included the Chief Information Officer (CIO), the CISO, the Data Protection Officer (DPO), a representative from the technology team and the head of compliance, among others.

“Anything that would go to the main board would always be filtered through this Cyber Board. This meant that many decision-makers would have known what had happened before they went to the board meeting – there were no surprises,” she explained.

Lassig shared a similar experience at Commerzbank, where the firm has different committees that each involve a handful of board members to discuss specific themes or topics.

Dalton added that even a more informal structure involving several key decision-makers can help when transferring issues to the main board or asking the leadership team to make investment decisions.

When she was CISO at Danone, Bhattacharya had to deal with an organisation of about 100,000 employees with operations across over 200 countries and a mix of IT and OT systems to manage and secure.

This critical mass of devices and complexity can make it difficult for a CISO to prioritise. Additionally, she mentioned that because one of Danone’s main products is yoghurt, which is arguably not a critical product, the idea of suffering from cyber incidents does not always sound worrying to everyone at the company.

“When I would ask people to identify what critical information we’re dealing with, I would sometimes hear back: ‘Nothing, we make yoghurt’,” she said.

“However, when you keep asking more detailed questions about data that people wouldn’t want to be leaked or technology that our operations rely on, you start getting responses. And if the disruption of the yoghurt production doesn’t sound like a big concern, one relating to baby food might be more worrying.”

Therefore, she advocated for CISOs to start researching and investigating to figure out which systems are a import for the business so that they can prioritise security measures – and present a clear roadmap to the board when you need new or additional investment.

Figueras said a security prioritisation roadmap is essential because it helps the board “prioritise investment, which is an action only the board can do.”

“If we manage to get the risk quantification right, i.e. translate cybersecurity risks into business impact, it will help us create a common language between the top and the bottom of the organisation and foster good collaboration,” she added.

Many CISOs fear the idea that they might need to disrupt or even shut down part of their company’s operations because of a cyber incident.

“Sometimes we get very worried about our jobs, asking ourselves: ‘Will I get fired if I stop three factories for a few hours or days?’” Bhattacharya said.

To alleviate these fears, Bhattacharya recommended that CISOs get an emergency mandate from the company’s leaders in written format, clearly saying that they will be supported in their actions in case of an emergency.

“This mandate took that blame away from me,” she added.

Running tabletop exercises and real-time simulations to get the board invested in cybersecurity is an important tactic.

Herbert Smith Freehills’s Dalton said, “Doing simulations helps the business understand what an incident can look like and how it can affect our crown jewels.”

Figueras added that “enthusiasm in doing cyber exercises and drills” was one of the top criteria for determining if a board understands cybersecurity issues and how serious a cyber incident can be for the company.

“Exercises are also an excellent way to keep the board on their toes,” she said.

Securing the board’s buy-in for cybersecurity investments is crucial in today’s threat landscape.

By presenting clear priorities, demonstrating the financial impact of cyber incidents and fostering a culture of security, CISOs and cybersecurity practitioners can make a compelling case for robust cybersecurity measures.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?