Getting CISOs and boards to speak the same language

Organisations need to put humans at the centre of their cyber resilience programs. Only then will they be able to foster an empowered cyber culture. Guillaume Noé, Senior Director of Cybersecurity at Avanade, explains why it’s so important for CISOs and boards to be on the same page about their cyber management. 


Are boards and CISOs not speaking the same language in terms of cyber culture?

Well, first I will say that my hat is off to all the CISOs and the stakeholders that have a responsibility to ensure the resilience of their organisations, whether they’re in the public or private sector. I really believe to be a CISO today is a very difficult job. Not only do you have to deal with very stressful situations around cybersecurity incidents with stringent and increasing compliance regimens, regardless of your industry, you also have to report to the board of directors. I think there is an element of communication in relating to the board – to their priorities, how they think about developing the organisation according to their risk appetite – that is really critical.

I believe that to be successful, organisations really need to align their view on risk at all levels. That includes cybersecurity risks. They have to find a way to communicate in a consistent manner. So when it comes to the CISO reporting to the board, I have in the past witnessed some interesting situations. In the capacity of an auditor at one of my previous jobs, I had to report to the board of directors from a security audit point of view. That involved the CEO, the CIO and the CISO and I found myself in a situation where, unfortunately, the CISO was going to be on the back foot. It was certainly not my intent; I was simply reporting on facts as the security auditor.

My observation of those discussions was that some boards don’t come with a technical background. In the world of cybersecurity, a lot revolves around technical risks and how technology can reduce those risks. But the part I noticed the most was that the language was very different. It’s fine for a CISO or security manager to refer to some penetration testing report, but what does that mean to the board of directors?

I think sometimes the security manager needs to go a level above. That type of reporting requires skills not only from a technical security point of view, but also from a communication point of view.

What then are the organisational requirements for ‘good cyber’ within the context of that example? How do you span the boundary between these different understandings?

For me, there is a key element that can unify everything, and it starts with the culture. I really like the subject of culture and I really believe that culture drives behaviours. Now, I will add the caveat that I’m not a psychologist, but my experience – personally and professionally – when it comes to matters of enterprise cybersecurity risk management is that there’s a clear sign that culture drives behaviours. An organisation’s cyber culture can foster a more proactive engagement in better managing risks, but it can be counterproductive as well. I think it’s critical to put humans at the centre of an organisation’s cybersecurity resilience program.

From a statistics point of view, the majority of cyberattacks – whether they are broad or targeted – leverage a common weakness: the human element. So from my point of view, it makes sense to put the human at the centre of the solution. That can help create a culture of empowerment, which is very important to keep things positive.

When it comes to culture, it needs to be transparent. It needs to be open. It needs to be welcoming for people to disclose when they may have not complied with the information protection policy, for example. They need to feel that they can come forward, share their experience and take it as a lesson learned. There’s no point blaming people all the time for their behaviours around cybersecurity. Culture can make a big difference in mitigating and better managing cybersecurity in organisations.

How can we equip employees to become security advocates?

There’s an element of training that is very important. I don’t expect any employee in an organisation to be aware of all the threats they may be requested to identify, and for them to adopt the right behaviour or the right reaction. A cybersecurity awareness program is absolutely very important.

However, I think there are different ways to do it. Organisations can do cybersecurity awareness as a box-ticking exercise purely from a compliance point of view. I have seen that and have experienced it myself. Once a year I get an email that it’s time to do a refresh. I click on it, some learning management system kicks in, I watch some videos, I answer some questions and bang – I get a digital certificate and I’m good for 12 months.

But it’s not only about compliance. It’s about changing behaviours. It’s about making the ‘awareness’ moment relevant to the context and what the user is doing at a specific time. That leads to everything being more relevant and more efficient.

In terms of readiness, collaboration and protecting all layers within an organisation, what’s your guidance for how leaders should position themselves? If you were doing a refresh right now, what would your top tips be for organisations?

My first piece of advice is put people at the centre of your cyber resilience program. They can be your biggest weakness when it comes to cybersecurity, but they can also be your best line of defence. Keep it positive, give them the opportunity to be empowered and more responsible. Start with the goal of turning them into cybersecurity advocates. I think that’s very important.

There is also a real need to engage regularly with staff and employees, to provide them with refreshers, to maybe investigate some innovative ways to improve their cybersecurity awareness.

And last but not least, for organisations that do not specialise in IT security or maybe don’t have a big cybersecurity team protecting their environment – seek some advice from consulting firms or organisations like Avanade. They can really make a difference, particularly when you deal with advisors who work across a broad range of organisations in different industries. They can bring with them some really good visibility into what’s happening right now in Australia’s cybersecurity landscape. That can help in shaping your trajectory when it comes to building and maintaining organisational resilience.


Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.