Crisis preparedness as a tool to build trust between the C-Suite and cybersecurity leaders
One of the standout findings of FTI’s recent survey, CISO Redefined: Navigating C-Suite Perceptions & Expectations, is a mismatch between the expected performance and perceived capability of the CISO.
Responses from a global audience of C-suite executives indicate a lack of trust in the CISO’s ability to honestly escalate cyber risk, effectively execute a strategic cyber crisis response, or communicate risks and impacts effectively to a broad cross-section of stakeholders.
Nearly one-in-three executives perceive their CISOs as being hesitant to raise potential vulnerabilities to leadership’s attention, while 31% think their CISO is making things more optimistic than they actually are. Over half of respondents lack faith in their CISO’s communications skills, and there is not one stakeholder group with which a majority of executives would fully trust their CISO to lead engagement.
Despite these clear concerns, almost nine-in-ten organisations have increased their CISO’s decision-making responsibilities and 38% of respondents expect CISOs to be prepared to take on greater leadership during crises. Across the board, executives expect CISOs to step into organisational leadership roles and be able to communicate weaknesses or gaps in the organisation’s cybersecurity posture and communicate directly with stakeholders prior to and during a live cyber incident.
While a lack of trust amongst fellow executives does not equate to a lack of underlying skills and competencies on the part of the CISO, there is a clear mismatch between C-suite expectations of the CISO’s role and their confidence in the CISO’s capabilities.
So how should organisations seek to close this gap?
- Build exec-level understanding of cybersecurity concepts:
For many senior leaders, cybersecurity is something of a black box, far removed from their day-to-day responsibilities. 31% of survey respondents admit that they do not fully understand technical concepts relating to cybersecurity. This is not sustainable. While it may be tempting to treat cybersecurity as a siloed risk under the purview of the CISO, a major cybersecurity crisis will require all executives to play a role in the response.
Regular training on core concepts, briefings on the threat landscape, and scenario exercises are all tools in the CISO’s armoury. Building technical understanding amongst C-suite peers will enable more confident engagement on cybersecurity topics and reduce the burden on the CISO to translate complex issues into basic concepts during the pressure of the crisis.
- Provide clarity on response processes, roles and responsibilities:
The CISO should ensure that their organisation’s operational incident response capability is clearly defined and regularly tested. This includes incident response plans and scenario-specific playbooks that clearly articulate initial response actions, protocols for information sharing and the roles and responsibilities of other senior leaders.
A documented response structure provides concrete evidence that the CISO is on top of cybersecurity preparedness. This will deliver several benefits: internal stakeholders will have greater confidence that the organisation knows how to respond; other executives can see the expectations of their own role in the response; and the CISO will need to spend less time defining the response process on-the-fly, instead able to engage with fellow executives on impacts and response options – as well as communicating with key external stakeholders as required.
- Demonstrate capability in peacetime:
Ultimately, trust must be earned. CISO’s should actively seek opportunities to demonstrate their capability. The briefings and exercises mentioned above are a vital forum in which to put theory into practice. Showcasing processes and capabilities in response to realistic scenarios will build trust and confidence amongst all levels of the response, from understanding the information flow between strategic and technical teams to comfort with ways-of-working between the CISO and other executives.
Exercises give the CISO a platform on which to perform in front of their peers, as well as demystify elements of cyber that can otherwise cause leaders to disengage.
Cybersecurity should be incorporated into the organisation’s wider resilience framework, with an annual exercising programme covering several different objectives – from testing response processes, to providing an opportunity for executives to consider the strategic impacts of different types of cybersecurity incident and how the organisation could respond.
It is both unrealistic and irresponsible for leadership teams to expect the CISO to fix the trust gap in isolation. Improving the CISO’s credibility to lead an organisation’s cyber response relies on a collective effort from the wider senior management team. The steps outlined above – improved executive understanding of the subject matter; clear, actionable plans; and muscle memory embedded through crisis exercises – will start to address the trust deficit that currently exists in many .
For more information on how FTI can support with cybersecurity and crisis communications preparedness, please contact our EMEA Crisis team at [email protected].
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
