{"id":3444,"date":"2025-06-05T07:00:00","date_gmt":"2025-06-05T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3444"},"modified":"2025-06-05T07:00:00","modified_gmt":"2025-06-05T07:00:00","slug":"get-out-of-the-audit-committee-why-cisos-need-dedicated-board-time","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3444","title":{"rendered":"Get out of the audit committee: Why CISOs need dedicated board time"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Adequate time with the board is in short supply for CISOs and this restricted engagement is leaving organizations unprepared to fully understand and manage enterprise risk. Time for the cybersecurity agenda is often limited to quarterly board committee sessions and annual full boards meetings, according to an Advanced Cyber Security Center report<\/a>.<\/p>\n

In practice, this means most CISOs are only given a 15 to 45-minute slot on a crowded agenda in a board risk, audit or technology committee meeting and similar time at the board\u2019s annual meeting.<\/p>\n

\u201cCyber usually starts off on the calendar being an hour, and then it gets squished down to a half hour, and then sometimes you\u2019re lucky if it\u2019s 15 minutes, which is just horrendous,\u201d says George Gerchow, faculty at IANS Research and Bedrock Security\u2019s CSO.<\/p>\n

Cybersecurity is boxed into operational or compliance updates, keeping it separate and distinct from broader business strategy and risk management. \u201cAt some public companies, it will most likely get attention from the audit committee and probably very little time with the actual board itself,\u201d says Gerchow. \u201cThe thing about the audit committee is that they care about compliance and it\u2019s not really a cybersecurity risk discussion,\u201d he says.<\/p>\n

Adding to the challenges, boards often lack the tools, context or structure to challenge and influence cyber strategy effectively. Because of this and the reduced time allowed to CISOs, boards end up just receiving reports rather than valuable feedback.<\/p>\n

Boards need to be well-versed in cyber risks, this means treating cybersecurity as a strategic business risk, not an isolated technical issue.<\/p>\n

What sometimes drives board interaction is a security incident, says Gerchow. \u201cThen the questions are \u2018Why? Why did we wait until it got to this point?\u2019\u201d<\/p>\n

Dedicated board time means open discussions about cyber risks<\/h2>\n

Keeping cybersecurity as a separate agenda item means organizations aren\u2019t automatically considering one of their greatest risks in overall strategic business reviews, according to the ACSC. The problem is the limited time allocated to CISOs in audit committee meetings is not sufficient for comprehensive cybersecurity discussions. Increasingly, more time is needed for conversations around managing the complex risk landscape.<\/p>\n

In previous CISO roles, Gerchow had a similar cadence, with quarterly time with the security committee and quarterly time with the board. He also had closed door sessions with only board members. \u201cAnyone who\u2019s an employee of the company, even the CEO, has to drop off the call or leave the room, so it\u2019s just you with the board or the director of the board,\u201d he tells CSO.<\/p>\n

He found these particularly important for enabling frank conversations, which might centre on budget, roadblocks to new security implementations or whether he and his team are getting enough time to implement security programs. \u201cThey may ask: \u2018How are things really going? Are you getting the support you need?\u2019 It\u2019s a transparent conversation without the other executives of the company being present.\u201d<\/p>\n

Gerchow found it a valuable opportunity to discuss things openly without regard for lines of responsibility or other impediments to frank conversations. \u201cI\u2019m one who\u2019ll speak my mind, but I know other CISOs won\u2019t in a regular board meeting with the CEO, the CFO or whomever they report to. They\u2019re more likely to stick with progress made against risks.\u201d<\/p>\n

The full partnership model between CISO and board<\/h2>\n

Full and frank security discussions are more than just a \u2018nice to have\u2019. The SEC<\/a> has indicated it expects<\/a> public companies with senior leadership to be transparent in how they assess and communicate cybersecurity risks.<\/p>\n

By extension, CISOs have an important role in communicating risks to senior leadership and the board. To provide strategic insights, CISOs need to avoid excessive technical details and instead use consistent frameworks, risk registers, and resilience metrics.<\/p>\n

At Liberty Mutual, cybersecurity is reported to the board as both a standalone topic and as part of broader technology strategy discussions. \u201cThere\u2019s value in reporting to the full board so that all directors have some exposure to cyber trends and the health of the cybersecurity program,\u201d says Liberty Mutual CISO Katie Jenkins.<\/p>\n

Jenkins finds both approaches valuable, with the standalone conversation narrowing in on risks and mitigation strategies, while the integration into technology discussions demonstrates that security is not an isolated function.<\/p>\n

\u201cEffective security outcomes depend on a cross-functional commitment across the organization,\u201d she says. \u201cWhen I present to the board, my goals are to educate on current trends and emerging threats, clarify risks \u2014 avoiding both underrepresentation and overrepresentation \u2014 and instill confidence that we allocate our resources effectively to align with those risks.\u201d<\/p>\n

Jenkins aims to develop a \u201cdialogue over a monologue\u201d to understand the board\u2019s most pressing questions and tailor her presentation to provide greater clarity or incorporate relevant examples in line with their focus.<\/p>\n

To do so, Jenkins is guided by three principles in her presentations. Firstly, be clear about relating risks to business impact to make the issues more tangible and relevant to board members. \u201cWhen discussing incidents or risks, I connect them to their potential impact on business operations.<\/p>\n

Use demonstrations to show threats in action. This provides clarity and helps build trust, moving beyond \u201cjust trust me on this\u201d to show real-time examples of our efforts. \u201cIn a recent board update, I used demos to show the ease of use of toolkits favored by adversaries and showcased the before-and-after effects of implementing specific security controls.\u201d<\/p>\n

Finally, Jenkins also makes a point of highlighting how security is also a driver of innovation. \u201cI emphasize how security enables innovation by providing guardrails, which serves as a nice complement to the more defensive aspects of our work.\u201d<\/p>\n

Shifting away from purely committee reporting isn\u2019t just a tactical move. It reflects the growing need to have CISOs provide input into many business initiatives. Jenkins believes CISOs can offer valuable input into AI adoption, operational resilience, technology modernization, data and digital transformation, mergers and acquisitions, supplier and procurement strategies, and geopolitical risk management.<\/p>\n

\u201cOur contributions extend beyond just cybersecurity incidents; we also play a vital role in enterprise risk management and crisis response,\u201d she says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Adequate time with the board is in short supply for CISOs and this restricted engagement is leaving organizations unprepared to fully understand and manage enterprise risk. Time for the cybersecurity agenda is often limited to quarterly board committee sessions and annual full boards meetings, according to an Advanced Cyber Security Center report. In practice, this […]<\/p>\n","protected":false},"author":0,"featured_media":3445,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3444","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3444"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3444"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3444\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3445"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}