News item

“CISOs should have a prominent place on the board – and beyond”

Profielfoto van Rob Beijleveld
11 November 2023 | 3 minutes read

The CISO will be an important stakeholder in the coming years, according to Rob Beijleveld, one of the initiators of the CISO community. CISOs have to take steps to develop their role, increase cybersecurity awareness, advocate for changes, and show that they deserve that seat at the table.

“Over the last twenty years, developments in IT and cybersecurity have moved at lightning speed. This can be seen in the CIO role, which has become indispensable for every company. Whereas CIOs used to report to the CFO, their role has now become independent, reporting directly to the board. CIOs' job profiles have professionalized and matured, and responsibilities have grown, together with their value and impact.”

More awareness

Right now, the same is happening for CISOs, Rob Beijleveld notes. “Increasingly, companies are starting to understand the importance of mitigating cyber risks. Undoubtedly, this process of building awareness is accelerated by recent and ongoing cyberattacks, which have led to grave financial and legal consequences for a number of companies. We can now clearly see that companies have started to prioritize the areas of security, risk, and liability.”

Conflicts of interest

Yet, while boards may realize the importance of cybersecurity and want to make improvements, concrete measures are lagging behind, Beijleveld points out. “For example, we still see structures at companies where CISOs report to the CIO. This can lead to conflicts of interest: to what extent do the strategic, technical targets, and management initiatives of the CIO match with the security targets and concerns of the CISO?”

“In discussions with the board, CISOs must advocate to improve cybersecurity. With the CISO community, we want to provide them with the resources to do so.”

In addition to lacking independence at a company, CISOs might also lack essential tools and resources. “What does the roadmap of a CISO look like? Which steps need to be taken, and which certificates should be gained for a CISO to develop well in their role? Often, the development path of a CISO is unclear,” Beijleveld says.

Developing the CISO role

The CISO’s level of responsibility might exacerbate this problem. As cyberattacks can happen at any time, a CISO should be ‘on’ 24/7, Beijleveld notes. “When CISOs are focused on emergencies, fixing urgent matters, they don’t have much time left to seek out other projects, such as following courses or improving their soft skills.”

Yet, it is precisely those skills that are vital in making progress toward gaining more maturity in the CISO role, Beijleveld says. “We, therefore, need to provide CISOs with the right network and the right tools.”

“The CISO role is mentally demanding. By sharing knowledge and providing CISOs with the tools to develop their hard & soft skills, we aim to take off some of the load.”

“There should be a roadmap that explains which steps should be taken for a CISO to improve in their role. This is something the CISO community will be able to provide. As I mentioned before, the CISO role is mentally demanding. By sharing knowledge and providing CISOs with the tools to develop their hard & soft skills, we aim to take off some of the load.”

Change in mindset

“A change in mindset will also need to happen at the top level,” Beijleveld notes. “Just like sales and marketing have been separated in the past, or finance and IT, companies will need to realize that both IT and cybersecurity deserve their seats at the table.”

“Many companies have become victims of cyberattacks, and these attacks are becoming increasingly inventive. There is a clear business case that shows why companies should allocate more resources to cybersecurity.”

Yet, how do we convince companies to devote their resources to cybersecurity and prevention? One might argue that companies lack insight and think cyberattacks will not happen to them. Beijleveld refutes this argument. “The evidence is there. Many companies have become victims of cyberattacks, and these attacks are becoming increasingly inventive. Even without looking at the evidence, it is easy to calculate the costs and benefits of investing in cybersecurity. There is a clear business case that shows why companies should allocate more resources to it. However, in this discussion, the CISO needs to advocate. With the CISO community, we want to provide them with the resources to do so.”

“Considering the speed at which the digital world is evolving, we don’t have the time to lean back and see what happens,” Beijleveld adds. Instead, if we combine the resources, the tools, and, of course, the people, we can start getting stuff done.”

CISO as stakeholder

“I see a big role for CISOs as an important stakeholder in the coming years,” Beijleveld says. “CISOs are the authority in the field of cybersecurity, and they should grab that opportunity with both hands. CISOs must be present at the table, not just in their own company, on the board, but also as a stakeholder in education, in government, and many other fields.”

“Considering the speed at which the digital world is evolving, we don’t have the time to lean back and see what happens.”