I have spent many years, perhaps too many, working in the world of IT and information security. I can’t complain, I have to say, it has been rewarding. And I have noticed in recent years that there has been a considerable shift in how cybersecurity is perceived within organizations, with this function gaining greater importance and relevance. The personal influence of the CISO has been improving lately, both in terms of attitude and perception. They are more involved in helping the organization, moving away from being seen as a “blocker” and becoming an agent of change, more frequently participating in business decisions, becoming more visible, and having a greater impact on the organization.
In short, cybersecurity is increasingly becoming a function aimed at balancing risk with opportunity and innovation, serving as an objective and impartial source of information that helps executives make better decisions while supporting the organization’s goals and challenges. Or at least that is what we aspire to achieve as professionals in this field.
Unfortunately, cybersecurity is still seen in many Boards or Executive Committees as a technical issue, something that should be handled at lower levels by truly specialized staff. Moreover, interest tends to fade quickly, especially if, as cybersecurity leaders, we fall into the trap of using too much “jargon” that they don’t really understand. They often feel unprepared for a cyberattack, despite stating that cybersecurity is a top priority. Conclusion: there is still plenty of room for improvement in the relationship between top management, cybersecurity and CISOs.
What is certain is that senior leadership can no longer avoid their responsibility when it comes to cybersecurity. We also know that information security measures are much more effective when they have the leadership support.
How can we get C-levels fully engaged in cybersecurity?
Cybersecurity is no longer purely an operational concern for organizations. It must be a radical mindset shift,moving away from a focus solely on compliance and perimeter/data security to emphasizing strategy and risk management. We need to cultivate behaviors that generate and promote the trust required by any organization in today’s digital world.
Board members and executive committees play a key role in shaping the culture and positioning of organizations concerning cybersecurity. However, they often lack a real comprehensive, self-assessment driven maturity model that can help them to self-assess their direct level of cybersecurity accountability.
Many executives still fail to grasp the s