Cybersecurity has rocketed to the top of corporate risk registries in recent years, creating additional pressures for CISOs and CIOs to ensure their boards are fully informed and fully equipped to deal with the issue.
For instance, at last year’s Governance Institute Australia National Conference 2021 attendees were told that rapid advancements in cybersecurity capabilities and the increasing threat of cybercrime was forcing boards to upskill when it comes to cyber literacy.
While that is an issue that would resonate with many chief information security officers today, Fabio Fratucello, the APJ chief technology officer for CrowdStrike says that for many of his CISO and CIO peers, presenting to the board or to the leadership team can be a daunting task, even experienced security leaders.
Fratucello brings 20 years of perspective, not only from his time at CrowdStrike, but also from his experience as a security leader.
“Successful leaders tend to gravitate towards very specific themes,” he says.
They talk about maturity levels, targets and metrics, which also raises the issue of understanding what from a director’s perspective is worth measuring and how it is going to be measured.
“How can you provide confidence back to the CXO, that the company budget has been well spent.”
Fratucello says it's an opportunity to develop a culture of continuous engagement with the top executive and the non-executive directors of the organisation.
So what is the best way for directors, in particular, to equip themselves to be able to deal with these issues as they come along?
Reflecting on his previous experience as a cybersecurity executive, particularly in the finance sector he said he would take the time to get to know people, “ but also to ensure they had the relevant understanding of the cybersecurity practice, the capabilities, and the cyber threat landscape, in order ensure future conversations in more formal settings where more meaningful conversations when we were in a formal setting.
That approach could help CISOs establish cybersecurity as a key business priority he says.