Get out of the audit committee: Why CISOs need dedicated board time

Adequate time with the board is in short supply for CISOs and this restricted engagement is leaving organizations unprepared to fully understand and manage enterprise risk. Time for the cybersecurity agenda is often limited to quarterly board committee sessions and annual full boards meetings, according to an Advanced Cyber Security Center report.

In practice, this means most CISOs are only given a 15 to 45-minute slot on a crowded agenda in a board risk, audit or technology committee meeting and similar time at the board’s annual meeting.

“Cyber usually starts off on the calendar being an hour, and then it gets squished down to a half hour, and then sometimes you’re lucky if it’s 15 minutes, which is just horrendous,” says George Gerchow, faculty at IANS Research and Bedrock Security’s CSO.

Cybersecurity is boxed into operational or compliance updates, keeping it separate and distinct from broader business strategy and risk management. “At some public companies, it will most likely get attention from the audit committee and probably very little time with the actual board itself,” says Gerchow. “The thing about the audit committee is that they care about compliance and it’s not really a cybersecurity risk discussion,” he says.

Adding to the challenges, boards often lack the tools, context or structure to challenge and influence cyber strategy effectively. Because of this and the reduced time allowed to CISOs, boards end up just receiving reports rather than valuable feedback.

Boards need to be well-versed in cyber risks, this means treating cybersecurity as a strategic business risk, not an isolated technical issue.

What sometimes drives board interaction is a security incident, says Gerchow. “Then the questions are ‘Why? Why did we wait until it got to this point?’”

Dedicated board time means open discussions about cyber risks

Keeping cybersecurity as a separate agenda item means organizations aren’t automatically considering one of their greatest risks in overall strategic business reviews, according to the ACSC. The problem is the limited time allocated to CISOs in audit committee meetings is not sufficient for comprehensive cybersecurity discussions. Increasingly, more time is needed for conversations around managing the complex risk landscape.

In previous CISO roles, Gerchow had a similar cadence, with quarterly time with the security committee and quarterly time with the board. He also had closed door sessions with only board members. “Anyone who’s an employee of the company, even the CEO, has to drop off the call or leave the room, so it’s just you with the board or the director of the board,” he tells CSO.

He found these particularly important for enabling frank conversations, which might centre on budget, roadblocks to new security implementations or whether he and his team are getting enough time to implement security programs. “They may ask: ‘How are things really going? Are you getting the support you need?’ It’s a transparent conversation without the other executives of the company being present.”

Gerchow found it a valuable opportunity to discuss things openly without regard for lines of responsibility or other impediments to frank conversations. “I’m one who’ll speak my mind, but I know other CISOs won’t in a regular board meeting with the CEO, the CFO or whomever they report to. They’re more likely to stick with progress made against risks.”

The full partnership model between CISO and board

Full and frank security discussions are more than just a ‘nice to have’. The SEC has indicated it expects public companies with senior leadership to be transparent in how they assess and communicate cybersecurity risks.

By extension, CISOs have an important role in communicating risks to senior leadership and the board. To provide strategic insights, CISOs need to avoid excessive technical details and instead use consistent frameworks, risk registers, and resilience metrics.

At Liberty Mutual, cybersecurity is reported to the board as both a standalone topic and as part of broader technology strategy discussions. “There’s value in reporting to the full board so that all directors have some exposure to cyber trends and the health of the cybersecurity program,” says Liberty Mutual CISO Katie Jenkins.

Jenkins finds both approaches valuable, with the standalone conversation narrowing in on risks and mitigation strategies, while the integration into technology discussions demonstrates that security is not an isolated function.

“Effective security outcomes depend on a cross-functional commitment across the organization,” she says. “When I present to the board, my goals are to educate on current trends and emerging threats, clarify risks — avoiding both underrepresentation and overrepresentation — and instill confidence that we allocate our resources effectively to align with those risks.”

Jenkins aims to develop a “dialogue over a monologue” to understand the board’s most pressing questions and tailor her presentation to provide greater clarity or incorporate relevant examples in line with their focus.

To do so, Jenkins is guided by three principles in her presentations. Firstly, be clear about relating risks to business impact to make the issues more tangible and relevant to board members. “When discussing incidents or risks, I connect them to their potential impact on business operations.

Use demonstrations to show threats in action. This provides clarity and helps build trust, moving beyond “just trust me on this” to show real-time examples of our efforts. “In a recent board update, I used demos to show the ease of use of toolkits favored by adversaries and showcased the before-and-after effects of implementing specific security controls.”

Finally, Jenkins also makes a point of highlighting how security is also a driver of innovation. “I emphasize how security enables innovation by providing guardrails, which serves as a nice complement to the more defensive aspects of our work.”

Shifting away from purely committee reporting isn’t just a tactical move. It reflects the growing need to have CISOs provide input into many business initiatives. Jenkins believes CISOs can offer valuable input into AI adoption, operational resilience, technology modernization, data and digital transformation, mergers and acquisitions, supplier and procurement strategies, and geopolitical risk management.

“Our contributions extend beyond just cybersecurity incidents; we also play a vital role in enterprise risk management and crisis response,” she says.