A Discussion with CISOs: Strengthening Board Accountability, Metrics, and Standards for Cybersecurity

RedSeal, along with Renee Guttmann and Chris Hetner, hosted a CISO dinner in New York City last week, bringing together industry leaders to discuss cybersecurity’s evolving landscape, from advanced AI threats to board-level oversight challenges. This conversation focused on three key areas: board accountability, the demand for standardized metrics, and the need for better cyber hygiene.

Enhancing board accountability

One of the central themes was the growing role of the board in cybersecurity. Many CISOs noted that board members often have only a cursory understanding of cybersecurity’s impact. With only a few minutes annually dedicated to cyber matters, it’s no surprise that accountability suffers. Discussions revealed that only 30% of board members feel adequately equipped to make informed cybersecurity decisions, with 75% unsure about the accuracy of their organization’s security data. In response to this knowledge gap, organizations like the NACD, which has over 24,000 members, are actively working to enhance board oversight on cyber risks. The NACD’s Director’s Handbook on Cyber Risk Oversight provides valuable resources for boards to improve their understanding and engagement in cybersecurity matters. For further insights, you can access their latest Cyber Risk document here.

Yet, the disconnect goes beyond understanding risks; boards often lack clarity on how cyber risks align with business strategy and financial health. Discussions highlighted the need for frameworks to contextualize cyber threats in terms of company assets, capital deployment, and potential financial losses. By 2026, it’s projected that cyber incidents could lead to hundreds of millions in losses, affecting not only cybersecurity but entire business operations—as seen with recent high-profile cases like Clorox and MGM Resorts.

RedSeal bridges this gap, providing comprehensive insights and tools that enable organizations to see 100% of what is on their digital environment, empowering boards and leaders to make informed decisions.

The case for standards, metrics, and regular reporting

The group emphasized the need for clear metrics and standardized reporting to guide both CISO and board actions. NACD’s quarterly cyber risk reporting program outlines the expectations boards have for their organizations. These reports detail:

• An organization’s overall financial exposure to cyber risks and cyberattacks
• A view of the cyber threats most likely to cause financial losses to a business
• Insights on the cyber controls most effective in mitigating financial losses
• Insights on cyber risk transfer/cyber insurance, including “stress testing” existing policies across a range of potential cyber incidents

Without consistency in how cyber risks are measured, many boards remain unaware of the critical issues and resources needed to address them. Regulatory bodies and trade associations could play a pivotal role in creating baseline metrics, particularly in areas like third-party security, cloud configurations, and vulnerability scanning.

RedSeal plays a pivotal role in establishing baseline metrics and developing a “cyber hygiene” checklist. Our digital resilience score offers a benchmark for security posture, helping teams grasp the essentials of cyber resilience and set proactive security strategies to mitigate opportunistic threats. This approach, akin to standards like ISO and NIST, can also help boards understand the basics of cyber resilience. As one attendee noted, “Cyber hygiene today might not prevent a nation-state attack, but it will protect from opportunistic threats, ensuring foundational security.”

Reinforcing cyber hygiene and addressing compliance fatigue

The concept of cyber hygiene emerged as an area of both opportunity and frustration. While some board members see it as a mere checkbox exercise, CISOs stressed its importance for both regulatory compliance and practical risk reduction. Cyber hygiene basics—like identifying assets, scheduling updates, and implementing phishing safeguards—are still overlooked by many organizations. But it’s these essentials, along with clear accountability, that prevent costly breaches.

Chris’s analogy of “The Sandlot”, the 1993 movie, and cyber security teams struck a cord. In this classic movie, boys of all different abilities were accepted on the team, all were needed to field the team. They governed themselves, made rules that were fair and consistent, stood up for what is right, accepted responsibility if something went wrong. In many organizations, only a few key players tackle security issues while others remain on the sidelines. A more uniform approach across all teams will significantly strengthen the organization’s overall security.

The call for a unified approach to cyber hygiene resonates deeply with RedSeal’s mission to foster a security-first culture within organizations and knowing the entirety of a network. Just like in cybersecurity, if everyone isn’t committed to playing their part, vulnerabilities are left open, and breaches occur.

Moving forward: A collaborative approach

The evening concluded with consensus around the need for collaboration. Board members and CISOs alike must work to build an organization-wide commitment to cybersecurity. This collaboration fosters regular, open communication, ensuring cybersecurity is prioritized strategically, not merely as a compliance obligation.

The dinner served as a reminder that cyber resilience requires a shared commitment. With the rapid growth of cyber threats, a united approach to accountability, standardization, and proactive action will help safeguard the future of every organization.

Reach out to RedSeal or schedule a demo today to learn how to bolster your cybersecurity efforts and make the strategic move that promises long-term benefits and peace of mind.