Dialogue with chief information security officers

May 2017

With cyber threats ranking as a major risk for companies and their boards, directors believe it is more important than ever to have a strong leader managing cybersecurity efforts. Most large companies – over 70% of those with annual revenues over $1 billion, according to one survey – now have a chief information security officer (CISO). The CISO’s precise duties, position within the organization, and relationship with the board vary from company to company, however, and these elements remain the subject of debate among security, risk management, and governance experts.

On March 31, 2017, the Audit Committee Leadership Network (ACLN) met in New York to discuss these issues with three prominent security executives: Dr. Andy Ozment, co-CISO at Goldman Sachs; Frank Price, vice president and CISO at CVS Health; and Joe Sullivan, chief security officer (CSO) at Uber.  

In conversations before and during the meeting, guests and ACLN members considered various aspects of the CISO’s role and interactions with the board: 

  • The effectiveness of the CISO depends on how the role and scope are defined 
    CISOs today have many potential responsibilities, though the role is still evolving at many companies. The security executives argued that it is important for CISOs to have a broader, more strategic role, which could include involvement in areas outside information technology (IT), such as mergers and acquisitions. The CISO role requires not only a range of skills and talents, but also a sufficient level of authority within the organization. The guests suggested that for a CISO to be most effective, the CEO and other senior leaders must embrace security as an important part of the company’s mission.

  • Thoughtful, structured communication with the CISO enables better board oversight 
    ACLN members and guests discussed several key issues that a board discusses with its CISO, starting with what framework – for example, the one developed by the National Institute of Standards and Technology – the company is using as a benchmark for its cybersecurity program. The CISO guests also recommended that boards and their CISOs track the top risks the company is facing over time to provide some insight into the performance of the CISO. Boards also have a role in ensuring that the budget for security is sufficient and that it is allocated effectively. Given the complexity of cybersecurity, both boards and CISOs rely on assistance from third-party service providers to help ensure that their companies have adequate protections. Members discussed the value of communicating directly with the CISO, usually at an audit committee meeting but sometimes as a full board, as opposed to hearing about information security from other executives.