CISOs and the board

January 2018

Cybersecurity is a critical concern for companies and their boards, which is why it is important to have a strong leader overseeing cybersecurity efforts. Although their precise responsibilities may vary, chief information security officers (CISOs) typically oversee security related to information technology (IT) and may also oversee security relating to production systems and third-party cyber risk. The role continues to evolve to keep up with evolving cyber threats and new regulations. The CISO has been elevated at many companies in recent years, according to a 2017 survey of European CISOs. But just as CISOs’ responsibilities differ from organization to organization, so too do their status and relationship with the board. 

On November 15, 2017, members of the European Audit Committee Leadership Network (EACLN) met in London to discuss the CISO and the board with Robert Coles, CISO and head of information protection at GlaxoSmithKline (GSK); Mike Maddison, partner at EY; and Emma Smith, group technology security director at Vodafone. This ViewPoints includes background information and synthesizes the perspectives that members shared before and during the meeting on the following topics. 

  • The CISO’s evolving role and function
    One way that companies are addressing cyber risk is to empower a CISO with broad authority to work across the enterprise in order to protect data and physical assets, monitor for deficiencies, respond to attacks, and educate the workforce. In many cases, this means delving into areas that are not traditionally within the scope of IT. As a result, the role requires an individual with deep technical expertise, strong business acumen, and access to appropriate resources, supported by a team with diverse skills. 

  • The CISO’s relationship with the board
    Cybersecurity is at the forefront of the board’s agenda, with many directors reporting it as the top risk at their companies. Audit committee chairs reported that they benefit from having an open and direct relationship with their company’s CISO, which includes communicating at a regular cadence using a consistent framework and common language. They said that a strong relationship makes it easier for boards and CISOs to agree upon adequate resourcing and ensure sufficient oversight of the controls in place to mitigate cyber threats.