Closing the Cybersecurity Communications Gap
Perhaps no other chief-level position has been thrusted into the limelight recently as that of the Chief Information Security Officer (CISO). From high-profile lawsuits to intensified SEC oversight, today’s CISOs are increasingly held accountable for their companies’ cybersecurity transparency.
A year ago, in October 2023, the U.S. Securities and Exchange Commission brought charges against the software company SolarWinds Corp. and Chief Information Security Officer Tim Brown for fraud, internal control failures and alleging both parties were aware of cybersecurity risks and vulnerabilities.[1] This landmark case was the first time the SEC brought claims against an individual, and where the CISO was held individually liable for business decisions related to cybersecurity disclosure.
In late July 2024, the U.S. District Court for the Southern District of New York rejected the SEC’s numerous claims against SolarWinds for violating the Exchange Act as it relates to fraud and cybersecurity controls. However, the court held on charges of misrepresentation in public security statements. The SolarWinds case moved forward on narrowed grounds, proving CISOs may become responsible for negligence-based claims related to their employers’ cybersecurity programs.
Fast forward to present day, the SEC took significant action, fining several prominent cybersecurity firms for deliberately misleading the public about their involvement in the 2020 SolarWinds cyber incident. The charges accuse them of minimizing the breach’s impact and misleading shareholders about their cybersecurity posture and failing to disclose the full extent of their vulnerabilities to the public.[2] This regulatory crackdown aligns with a broader trend around government investigations, disclosure decisions and legal liability raising the stakes for CISOs. Failures to accurately disclose incidents and cyber risks can have far-reaching financial and reputational consequences.
The intensified scrutiny of CISOs begs the question – what can CISOs proactively do to mitigate the growing pressures over their roles, and what skillsets are critical for enhancing their ability to overcome the challenges that come with disclosing cyber risks?
Pressure to Understate Cyber Risk
A 2024 FTI Consulting Cybersecurity & Data Privacy Communications study, CISO Redefined: Navigating C-Suite Perceptions & Expectations, highlights that 82% of CISOs feel compelled to overstate an organization’s cybersecurity posture to avoid alarming stakeholders. The desire to prevent panic, protect the organization’s reputation and maintain a sense of control over the narrative are all important considerations that CISOs must juggle – which sometimes leads to officials making situations “sound more optimistic than they actually are.” This creates a disconnect between what is communicated to leadership, the board, and the actual effectiveness of the organizations’ cybersecurity program.
Regulatory pressures are also pushing the private sector toward more transparent cybersecurity communications. In the U.S., SEC cyber rules now require public companies to disclose material incidents and their risk management strategies. In Europe, the NIS 2 Directive mandates stricter security measures and quicker incident reporting, with senior management holding ultimate responsibility for cybersecurity risk management. These regulations reinforce the need for clear, consistent communication between CISOs and leadership, making cybersecurity a standing priority on Board agendas.
Root Causes of the Communication Gap
Several factors contribute to why CISOs may feel the pressure to soften their communications:
Technical Language Barrier
A majority (58%) of CISOs struggle to communicate complex technical details to non-technical leadership. The challenge of translating intricate cyber risks into terms that resonate with executives is daunting, and many CISOs may opt for simplification at the expense of full transparency.
Fear or Negative Perception
Nearly four-in-ten of execs feel their CISO is not completely prepared to communicate with key internal and external stakeholders, with more than one-third not fully prepared to communicate with leadership.
Lack of Alignment with Leadership Priorities
Over half of CISOs do not believe that their Board and senior leadership are completely prepared for cyber risks and 63% feel that their concerns are not aligned with senior leadership priorities.
Pressure to Maintain Control
30% of executives believe CISOs are hesitant to discuss vulnerabilities, leading to skepticism about the cybersecurity program's effectiveness and the CISO's capabilities.
Closing the Communications Gap
To effectively bridge the cybersecurity communications gap, organizations should prioritize a few key actions.
Prioritize Cybersecurity on Board Agendas
Organizations should ensure cybersecurity is a standing item on Board agendas to facilitate regular discussions and alignment between CISOs and leadership.
Develop a Clear Reporting Framework
Creating a consistent reporting framework is essential for communicating cyber risks, vulnerabilities, and incidents, which helps eliminate ambiguity.
Invest in Cyber Skills for Leadership
Organizations must empower the CISO to build cyber skills among executives and enable informed discussions about cybersecurity. These skills may include building confidence in translating technical concepts to business impacts, remaining up to date on emerging threats and practicing incident decision making. This recommendation is intended to build interest and involve the whole executive bench in discussions about cybersecurity.
Encourage Open Dialogue and Training
Promoting regular, stakeholder-specific training and open dialogue to foster a culture of cybersecurity readiness and transparency.
Promote Program Benefits to Decision-Makers
CISOs should effectively communicate the benefits of security programs to business leaders, enhancing alignment with organizational goals.
On the Horizon
As we encourage CISOs to bridge the cybersecurity communications gap, our attention also remains on the present flux of global cyber regulations. The sweeping dismissal of most charges within the SEC’s case against SolarWinds CISO Tim Brown sparked discussion among CISOs on the need for clearer guidelines around regulator expectations for companies’ cybersecurity policies and practices. Alongside training CISOs to advocate for their cybersecurity program internally, this case raises the importance of closing the communications gap as a safeguard for holding clear and persuasive conversations with external stakeholders, like regulators.
What can be done at the enterprise level to close the cybersecurity communications gap? We believe CISOs should take a proactive stance on becoming a key strategic thinker and an expert communicator at the C-suite and Board levels. Learn more about how CISOs can Secure Your Seat at the table.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
[1] “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures;” U.S. Securities and Exchange Commission (October 30, 2023), https://www.sec.gov/newsroom/press-releases/2023-227
[2] “SEC Charges Four Companies With Misleading Cyber Disclosures,” U.S. Securities and Exchange Commission (October 22, 2024), https://www.sec.gov/newsroom/press-releases/2024-174
