With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey 'What Directors Think,' board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member, sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance? Time Stamps 00:02 -- Introduction 03:06 -- Kayne McGladrey's professional highlights 04:01 -- 2023 Global CISO Survey Findings -- Do the Board of Directors have the necessary expertise to provide cybersecurity governance oversight? 07:24 -- CISO and Board of Directors Relationship 14:22 -- Effectively Empowering the CISO 20:07 -- Reasons for Board of Directors' Lack of Involvement 26:35 -- Board Members Cybersecurity Education and Training 45:27 -- Final Thoughts Memorable Kayne McGladrey Quotes/Statements "Interestingly enough, fewer than half of the board members regularly interact with their CISOs. This is an indicator of a communication gap, and potential alignment issues between board members and CISOs, which is really hindering progress in cybersecurity." "I know a lot of businesses still see cybersecurity as a cost center. They don't see it as a strategic advantage." "I can think of a CISO who I was just chatting with at Blackhat this year, who turned down a job they matched on salary expectations. But, they matched on job expectations, and they matched culturally. They will be reporting as the CISO to the Director of IT, not to the CIO, not to the CEO, but they're going to report to some down-level director, and they wouldn't be offered directors and officers insurance either. So effectively, they'd only be a CISO in title and C-level executive in title only, but not in practice. They recognize they were being hired in as a scapegoat. I think that's a persistent problem that we've seen associated with how companies are recruiting CISOs." "I think CISOs should ideally report to the CEO or another C-level executive like the chief operating officer or chief financial officer. And that really allows for a direct line of communications to the top-level management and that emphasizes and underscores the importance of cybersecurity and strategic decisions." "Cyber risk is a business risk. Cyber is just an influence." "Boards think in terms of business risks. CISOs, unfortunately, don't often communicate in terms of business risks. CISOs often communicate a technical risk, like a risk of ransomware, or the risks associated with generative AI; those aren't risks; that's driving the communications gap. Literally how we talk as CISOs is part of what causes a lack of oversight on the part of the board because the board doesn't understand what it is that they should actually care about. And so, they disengage." "Don't go to the board and say I have a problem, because they're not there to solve your problem. They want to know what you're doing about the problem. Also, they want to know if it's going to materially affect the business, I think if you go there with a problem, a solution and a proposal, you're probably going to have a much better time."  p...