Perhaps it’s one of the perks of working at an identity-verification company, but Jordan Avnaim, chief information security officer (CISO) at Entrust, considers himself lucky to have quarterly meetings with board members.
There, Avnaim speaks to the company’s cyber-risk committee, which includes board members and execs like the chief operating officer, CEO, and chief financial officer, about how cybersecurity threats are being reduced and mitigated.
“Establishing a trust with the board is absolutely paramount. We have to get to know them, and we have to demonstrate that we understand what their priorities are,” Avnaim told us.
Avnaim is one of a steady number of CISOs lately who have a regularly saved seat in the conference room. A new survey from Artico Search and IANS of over 830 security execs found that 47% of CISOs engage with their boards on a quarterly or monthly basis—an “encouraging” figure that elevates the role beyond just a functional department head, according to IANS Senior Research Director Nick Kakolowski.
“As infosec risk and digital risk become bigger parts of the business, those board-level governance conversations are just more critical for the overall well-being of the organization, and so more orgs need CISOs in the boardroom,” Kakolowski told IT Brew.
A survey from Deloitte of 100 C-level private business leaders, released in July 2024, found two top priorities from respondents in the coming year: increasing AI use (43%) and investing in technology (37%). Both priorities carry levels of digital and security risk a CISO must consider.
The Artico and IANS study, which took place between April 2024 and November, found that 42% of CISOs engage with boards quarterly, and 5% engage monthly.
Not every security leader has that kind of back and forth, however. The report also found that 16% of respondents had “ad hoc” meetings, and 11% “never” met with their board.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Boards are business leaders who know how to grow businesses and deliver value to stakeholders. Depending on the structure of the organization, they don’t have the technical background to fully understand cyber issues,” Kakolowski said.
The 11% of CISOs who never talk to the board concern Chris Campbell the most. He’s another lucky CISO with quarterly calls with the board.
“If there’s some type of cyber incident, whether it’s something at your company, or even outside the four walls of your building—it could be a third- or fourth-party—you’re not going to have that line of communication or the dialog open,” Campbell, CISO and SVP, head of technology at Bitsight, told us.
Kakolowski, Campbell, and Avnaim all recommend connecting with individual board members or a subcommittee of the board at a higher rate than quarterly, to learn priorities and to tie cybersecurity presentations to individuals’ desired business outcomes. Campbell often does a pre-read, or test run, with a subcommittee to see what topics might land or not land. Avnaim meets in-person, with a cyber-risk committee chair, sharing insights and asking how cyber-topics have been treated across other organizations.
“If you’re going to the board without the information of what’s important to the CFO, and you haven’t done that ahead of time, you’re doing it wrong. All that information should be handled outside of the boardroom,” Avnaim said.
Artico Search and IANS’s previous year’s study found that 50% of CISOs had quarterly boardroom access—a small drop-off representing “mostly variance in sample,” the researcher noted in a follow-up response.