Many companies today are adding Chief Information Security Officers (CISOs) to their boards to strengthen their cybersecurity posture and while adding a CISO to the board is an intuitive solution, it might not be sufficient on its own. To truly enhance cybersecurity resilience, it is recommended that boards elevate their collective knowledge and expertise.

Boards are designed to function as a collective, making decisions and sharing accountability as a unit. Relying on a single CISO for cybersecurity expertise undermines this principle, creating a dependency that can be detrimental to the board’s overall effectiveness.

Instead of relying solely on a CISO, boards are encouraged to adopt a multifaceted approach to elevate their collective cybersecurity capabilities.

Why it matters: As cyber threats evolve and regulatory pressures increase, it has proven important for boards to proactively enhance their cybersecurity oversight. A board with robust cybersecurity knowledge can better protect its organization, respond to incidents effectively, and ensure compliance with emerging regulations.

• Quality Time with Internal Experts: Individual board members can enhance their cybersecurity literacy by spending dedicated time with their organization’s CISO. These one-on-one sessions allow board members to ask in-depth questions, uncover details that might not surface in regular board meetings, and gain a nuanced understanding of the company’s cybersecurity posture.

• Educational Courses: Board members can benefit from executive education courses focused on cybersecurity risk. These courses often feature case studies and insights from various industries, equipping board members with the knowledge to govern cybersecurity risks effectively.

• Cyber Learning Forums: Establishing cyber learning forums can significantly elevate the collective expertise of the board and management team. These forums, chaired by the CEO and involving IT and cybersecurity leaders, create a collaborative environment for learning and idea exchange. Unlike formal governance processes, these sessions focus on understanding and addressing common challenges without the pressure of accountability.

• Bespoke Board Sessions: Dedicated board sessions on cybersecurity risk can be immensely beneficial. Whether integrated into regular board meetings or scheduled as extraordinary sessions, these focused discussions allow for in-depth exploration of cybersecurity issues. Involving external advisers and industry experts can provide valuable perspectives and lessons learned from real-world cyber incidents. Preparatory interviews with board members can tailor these sessions to the board’s specific needs and knowledge levels, ensuring maximum impact.

Go Deeper -> One CISO Can’t Fill Your Board’s Cybersecurity Gaps – MIT Sloan