Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

SoSafe: Board-Level Cybersecurity Governance & CISO Accountability

SoSafe
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


So as I said, we're going to be talking about how the board feels about cybersecurity. But quickly to introduce our panelists, first up we have Karsten Thoma, currently the president of Solonis, the global leader in process mining who brings a wealth of experience both as an investor and as an entrepreneur. In 1997, he cofounded SAP Hybris, and under his leadership, Hybris introduced the first ever cloud eCommerce platform, and eventually became one of SAP's major acquisitions of 2013. Beyond that, Karsten advises venture capital firms like La Familia and General Catalyst, helping to guide the next generation of innovative startups. Next then, we have Ricardo Diaz-Roer, the current CDO and CIO of Grand Automotive, with over 30 years of experience in IT leadership and digital transformation, Ricardo is also the owner of Rydia Consulting and serves on the board of Swish.ai. He's previously held roles as CIO of Emile Frey Group, CEO of Emile Frey IT Solutions, where he led impactful digital strategies, and his career spans top positions at Media Saturn Holding and nearly two decades with Lufthansa Group, leading innovation. Next we have Michael Bupre, a seasoned cybersecurity leader and current head of cybersecurity at Hays. With over 25 years in IT and cybersecurity, Michael is dedicated to addressing the cybersecurity skills gap and strengthening corporate resilience to ensure safe digital environments. And last but certainly not least, we have our very own chief security officer of SoSafe, Mr. Andrew Rose, who brings us over 25 years of experience as CISO for UK air traffic control, MasterCard, Proofpoint, and two Magic Circle global law firms. He was also a principal analyst at Forrester Research, and his recognitions include European CISO of the Year, Best Security Awareness Campaign. I could brag about him all day. Welcome, gentlemen. Thank you. All right, so as just one more reminder, we have the QR code in the link up here on the slide. So feel free to submit your questions, and we'll try to keep this as interactive as possible. But to get us started right away, Karsten, I will start with you, if that's all right. How have you seen the board's focus on cybersecurity evolve over the years? Probably the biggest change over the past three decades was also triggered by the cloud transformation. You had much more choice in a non-cloud world, like how do you protect your data, where does the data reside? That was a massive shift for almost every company. There are so many things today that you have to think about that weren't that relevant like 20 years ago before the cloud took over everything. So this is reflected not only on board level, but also in product planning, product management, executive teams. There are always different camps you have to think about, okay, what does this mean for the behavior of the people? What does it mean for systems? And what does it mean for your own products? But nearly everything got turned upside down. And would you say with that transition that you've seen boards become more actively engaged on the topic of security particularly, or more that it's just a growing concern? It's probably a different severity level depending also on what you're doing, right? There's more or less sensitive data, but in our case it's fairly sensitive process data per account that tells you a lot about how the business is running. So it's incredibly important that only one, your client has access to your data, you have to protect it no matter if it's residing in a hyperscaler. And so we have to invest a lot of time and infrastructure and also behavioral learnings. You cannot talk about certain data types. You put up a demo, like what type of data do you show, right? You cannot just take data from one tenant and move it to the other because it's a similar example. So it is highly, highly, highly relevant. And we also have the necessary representation on the executive team, but also on supervisory board level. Like Vanessa, who is responsible for security, integrity of data, and also legal, she's in every board meeting, the supervisory board meeting except the performance session. So very clear that is a top priority for us. Excellent. Thank you. So the next question I could address to anybody, but maybe I'll start with you, Ricardo. So in 2023, the draft SEC rules that there were drafted SEC rules that mandated a skilled cyber person must sit on the board of a company. So this was seen as a game changer for CISOs, but then was sadly dropped from the revised version. So stats also suggest that board members think they understand this topic, but then we see kind of this one step forward, one step back. Any comment that you'd like to make on this? I think it depends very much on the nature of the company and the business. You will find organizations where having a CISO on board is extremely important. If you are an IT company, if you're producing cement, probably you wouldn't necessarily see such a position on the board level. At the same time, there are companies who have 12 board members like banks, others have maybe just three. So there's not a single answer to that. But basically, definitely the role has been increasing in importance. And I believe that in the board should be those who are managing resources. And one very important resource nowadays is information technology. So either the CIO or the CISO, but basically it should be represented in the board, which actually many companies it's not the case, at least not in the German landscape. Andrew, anything you'd like to add? Do you have an opinion on whether there should be an installed security expert on every board? It's a tricky one, isn't it? Because I do think that pretty much every organization these days is a technology organization. Everything you do has technology woven through it. Whether it's your e-commerce, whether it's your design capabilities, whether it's just even your office, back office stuff of billing people, it's all technology related. And so any movement the organization does in terms of perhaps buying another organization or divesting of a part, it's all technology related. So you do need somebody at those board conversations to bring that technical and security aspect to all of those different conversations, whether it's new products, whether it's strategy, whatever it happens to be. However, I am personally feeling that the CISO shouldn't sit on the board. Now, Michael, we may disagree on this one, so I'll line you up for that one. But I think that the CISO's job already is so vast and so complicated, and you're torn in so many different directions. If you want to be an effective board member, you've got to have opinions on everything they talk about. You can't just sit there and wait for a cyber topic to come up, because that will marginalize you as a board member. So you need to be able to have insightful commentary on the HR strategy, on the mergers and acquisitions strategy, that's not just from a cyber perspective. And I think the CISO's are frankly too busy to do that. And honestly, a lot of CISO's out there are probably still of a single mindset regarding security, security, security, and not the wider business. So I think that, yes, we need cyber skills and cyber accountability on the board. But at the moment, I think the CISO is not the person to do that. Can I weigh in on that? I was going to go right to you. And quite honestly, I mean, I'm going to ask a question here in the audience. Put your hand in the air if you have nothing to do with technology, it doesn't touch you, your company doesn't use it at all. There's no hands up. Yeah, so there's a simple saying, more technology in our faces means more crime in our spaces. So technology is growing much faster than human beings, capability is growing. And so companies are becoming very reliant on this. And as you mentioned, having that dialogue between the board and the technology providers is important. I don't think all boards are ready for a CISO on the board, and I don't think all CISO's are ready to be on the board, but some are. It depends on the kind of company you are and the kind of perspective you have and what you do on a day-to-day basis. The really good CISO's that I know, they are what I call full-spectrum CISO's, right? So some CISO's, they are DRC, Governance Risk Compliance. They bring the rules, somebody else brings the tools, yeah? A full-spectrum CISO brings the rules and brings some of the tools. And what they care about is not just the technology, because you're not protecting the systems, you're protecting the people and the customers who rely on the systems. You're protecting the brand, you're protecting the reputation, you're protecting a whole lot more. Market share, customer satisfaction, shareholder satisfaction. So the broader your perspective as a CISO is, when you're able to have that kind of broad perspective that a board member needs to have, then you're not going to be down on the keyboard in the weeds, but you're going to have a strong team doing that for you, and you can be that interface between the board and that strong team. But not everybody's ready for it. And I think that's a great follow-up question that I have for you, then, is, you know, what would be a few hallmarks that you would say of what means readiness for a CISO to step into that board role? Yeah. So, again, so in 2023, I was in 23 countries and 85 cities, yeah? Talking to board members, talking to leaders, trying to get a sense of what's happening in the world. And you have different levels of maturity in different countries and different environments, also in different industries. So when you're looking, is, do I need a CISO on my board? How mature are you as a company, yeah? So if you don't even have the basics down, you can't even take care of antivirus systems or you can't take care of EDR systems, you can't take care of your network security, you're probably not ready to have a board member who's a CISO, because it's too far away from reality. So what I always say is, Germany's a good example. In Germany, most CISOs that I know, they grew up from a technical background, and so they don't have a lot of business acumen, yeah? If you want to put a CISO on your board, they need to have business acumen, they need to have soft skills, they need to understand what a P&L is and how it works, they need to understand how startups work, how funding works. When they have that kind of understanding behind them, plus the ability to lead technical people, not necessarily be a technical person, when that skill set is there, then they become ripe for the board. We had a conversation in Barcelona about this, it was very interesting. They were trying to build the perfect CISO profile, and I said, don't do that. Take the perfect board member profile, and then add the CISO skills to it. Now you're doing it the right way. But it's not just the chief risk officer. Call it what you want, yeah? So if you have a chief risk officer who's going to take the cyber security and the IT security under their umbrella, that meets the objective, yeah? Most companies don't even have a chief risk officer, either. True, true. All right. Thank you, gentlemen. So then, Karsten, I'll come back to you. As someone who's worked with a number of boards in different landscapes, what is one tip they would offer, particularly to our audience, of how a CISO can enhance, improve, maybe, their relationship with their board? Look, I think it's already difficult to put together a board that really adds value to what the company is doing. And if you narrow down that profile even more, there's not a lot of people that can do both, right? In terms of management and subject matter expertise perspective. But I think the observer model that we have as a first step at Solonius is really working well. I think you have more choice. You have to have someone who has the helmet on, right? That's clear for the whole risk and security topic. But it doesn't necessarily have to be a full board member if you don't find that person that can do both. And just make it a board observer, and make sure there's consistency between all government bodies of a company. So the board is one, but the executive team is another one, right? You will not surface risk and integrity issues if you don't start in the daily operations. So you have to think about that too. And then compromise. Yeah, then add a board observer that also is probably part of the executive team. And then at least for now, at least for now, you have relatively good coverage. But also with the whole discussion, we should also not forget there are other things that you have to protect the company from. And there are even things that you have to protect your shareholders from, right? Like, particularly if we look at the last 10, 12 years of valuations and inflation, there were severe other topics too on board level that should have been discussed, not only cybersecurity. Yeah, absolutely. True point. Ricardo, I'll come back to you next. How would you advise leaders to foster a culture where cybersecurity is seen as intrinsic business success, rather than just an additional compliance box ticking exercise? Okay. Yeah, this is always, with these topics, normally if you have the chance to position it or to create a value proposition out of it, then you should use it. So let's say if you're an IT company, if you have a company that is, where security is highly relevant, then you always have a chance to position it as something that can even serve as a sales proposition and include it in your, how do you say, in your proposition to the customers. The problem is there is a limited window for doing that, a window of opportunity, and probably most companies it's already passed. So I remember 15 years ago, the whole area of sustainability came up and I was working for a power generation company and we took this opportunity. It was created, I was in a management course in Fontainebleau and we created a strategy for how to position a power generation company as sustainable. And it was exactly the right point of time and many of the recommendations were put into practice and at that time it was not usual, it was not the common thing to do. And so for security, probably now for small and medium enterprises, there is a window of opportunity, maybe for the most larger organization it's already passed. Second thing I would say to achieve that is lead by example. So you have to have the top management commitment, they have to take it seriously, they have to communicate it into the organization. It's not so long ago that the board member, the secretary of a board member addressed me and asked me, look Ricardo how can we avoid that my boss has to do this annoying cyber security training. I had to explain to this board member how important it is that not only he does it, but nobody talks about this, this talk shouldn't even exist in a company. This is something very dangerous where people then don't take it seriously and if they see that the board doesn't take it seriously, it won't help creating that proposition in the company. And maybe one more thing, make it fun and fit to the culture, I tend to say. If you're working in a sales company, you have a very competitive environment, try to build in into the training's competitive elements so that people have fun in doing this and teams maybe competing against each other, then they will involve much more, dig much deeper into the topic and make it as a natural thing to do for the people in the company because it's similar to what they are doing every day. Right, so true culture building and making this a part of everyone's day to day real work. Excellent, thank you. Can I drop something on there? Absolutely, please. So this is one of the things I love about SoSafe, right? So Nicholas is a former psychologist, right, or he's a psychologist, right, he has a psychological background. So you have awareness, you have training, you have education, and if you just do that and nothing changes in the behavior, you've really done nothing. So you really have to try when you want to establish a security culture that we're talking about and you want to be able to affect a behavioral modification of some kind. And when you do things that people care about or you talk about things that are important to them in their language, in their tone, that they can relate to, they're more apt to change your behavior and to modify their approach. Did you want to add? I was going to say there's a whole topic I talk about about the stages of maturity. I think there's a presentation this afternoon actually on maturity in your security awareness campaign and just having more and more awareness doesn't change anything, as you say. It gets you compliant, but it's not going to change your risk. You need to move into that behavior phase and the culture phase and there's specific things you can do to move across that, but I'll talk about that later today. Then I have another question for you, Andrew. So what is one key question boards should be asking their security leaders to understand things are good, things are under control? Is there a key performance indicator? How can we measure readiness? Good Lord. That's a heck of a question, isn't it? It was a quest I was always on, actually, because I remember one of the first board meetings I went to, it was my third day in the organization, and the board member said to me, on a rating of 1 to 10, how secure are we? I was like, oh my God, is that what they want to know? So I spent the next couple of years trying to figure out how to answer that question before I figured out that that is entirely the wrong question to be asking because unless I could come and give them a 10 out of 10 score, which we all know is impossible, they were never going to be happy. So there's an awful lot of metrics that I think you need to present to the board and it depends on the organization, depends on the industry, but I think the fundamental question you need to be trying to answer, and again, this gives away a speech I'm doing tomorrow because I've got a speech tomorrow morning about reporting to the board and metrics, but is, are you doing enough? Are we doing enough to manage the risk? And so it's about trying to describe the risk that your organization faces and how you're applying controls and measures to manage that risk within a tolerance. And lots of organizations are not good at that particular discussion because it's difficult to quantify risk, it's difficult to quantify culture, it's difficult to quantify awareness and all of those things become difficult. So you have to look at sort of new ways of trying to measure those particular things and some of our product tries to do that in terms of bringing the human risk index to the table. But it's, it's a challenging, it's a challenging concept and I'll go through, I've got a big slide deck tomorrow to go through lots of examples of how reporting to the board can be sort of achieved. Excellent. So a nice plug for that session tomorrow morning. Anyone else want to add to this? You're a board member, so I kind of want to get your thoughts on this too, right? So I don't think it's a question, it needs to be a dialogue. So it's an ongoing active dialogue because whenever a board member asks me that question, I turn around and ask them, well, what's most important to you to keep this company running? What is the most valuable thing in the company? What creates your position in the market and helps you stay there? When you start to understand this, then you can roll back and tailor your approach to supporting these things. What are your thoughts on those kinds of conversations from a board member perspective? It's what you said. It has to be a part of the culture. It's a very simple saying, trust is earned in drops and lost in buckets. I like that. If you deal with new technologies, if you deal with data, if you deal with new business models, you're also prone to new threats. We have to accept this in a company environment as we have to accept this as a society, right? We once decided that giving up some freedom can lead to more security, right? And we should not look at this as supervision or surveillance on a certain level. It's a trust topic and it's part of what we do, utilizing and operationalizing those technologies. And if we then don't show the acceptance as a foundational element of our culture to deal with it, then we should do something different. It's not optional. You know, a board member is a shared group with different equities, right? So what I find most effective, if you go to a board directly and talk to the whole board, it's very hard to find the common thread between all of them. But if you go to the board members individually and talk about the different equities they have, then when you're in the board setting, you've already been familiarized with that, you've already been associated to that, and then you can facilitate a conversation to help find shared equity. Do you view it the same way or is that something? Absolutely. And at one point it also becomes normal. Yes. It's such an important thing to do, to have those individual one-on-one conversations. Because what you can find is each of the board members has got a pet project or a pet area they care about, and you can start to tie your security strategy to those pet projects. And when they see the value that your security is offering their project, they will start to defend you in the board. And so when someone tries to cut your budget, they will say, well, hang on, I know that that project is supplementing my pet project, therefore I'm going to defend it. So you end up getting a lot of board members to help you and be on your side if you have those individual one-on-one conversations. Very interesting. So we spoke a bit at the beginning about board readiness and whether or not it's appropriate to have a CISO sitting on the board. Maybe one level more broad, who should a CISO report to? Maybe Ricardo, we'll start with you. I know, I've left that intentionally very open. Always to the CIO. I think I would recommend, depending on how important information and information technology is in the company, I have made better experiences, to put it that way, if the roles of the CIO and the CISO are not separated. Because it always can create political conflicts, but it depends very much on the personality of the people. If the CIO knows how to play his role and enable the CISO, give him enough freedom and can also step back when security is important, I've made the best experiences in this way of working, but probably it's not the right setup for every company. It really depends, right? So every company has a different culture, every company has a different risk profile, every company has a different approach, every CISO is also different. So depending on how that collaboration system works, depending on how those relationships and coalitions are built, I've seen it work where the CISO is two levels down from the CIO. I've seen it work where the CISO reports to the CEO like I do. So you have different constellations. What's most important is understanding how the company functions, how the culture is designed and then find what actually produces the most value and take that, and it's not going to be the same thing every time. There's a lot of comments that the CISO should not report into the CIO because of the conflict of interest you mentioned. Honestly, my opinion on the whole thing is it does not matter where you report. If you're a decent CISO, a good CISO, then every conversation you have, you're working across the whole enterprise. You're talking to the head of product, the head of HR, the head of marketing, everybody is in your network because you need to be networked across the organization. So if somebody is above you and is getting in your way and trying to stop your budget flowing, you should have a million other people that you can talk to to try and get that resolved. So I think if you're an effective CISO, the reporting line doesn't really matter. The only exception I'd say to that is if you're in a low maturity organization. If you're in a low maturity organization, actually reporting into IT makes sense because 90% of your initial challenges will be IT related. So working alongside the IT team as part of them to get those initial technology protections deployed is a sensible thing. But after that, I don't think it matters too much. I mean, a common thread from everything that all of you mentioned is the importance of this culture building and security being everyone's responsibility, at which point then maybe the formalities matter less over time, yeah, certainly. So going again to our Slido questions and perhaps the last question we may have time for because I want to give each of you a chance to comment on this topic because I think it's a very important one, which is what do you do in a moment as a security leader where you feel like you have zero buy-in from your executive team, from your board, where they're really not understanding the risk, they're not understanding how big the risk is, perhaps, it's a spectrum, but when you're struggling with breaking through and being understood? Anyone want to start? Save the best for last. I think the easiest thing is if you have a cyber attack, then the situation will suddenly change, but it's of course something nobody wants. So I think if they can really feel the consequences of such a thing happening, maybe even you have to get probably, I would advise maybe getting somebody from outside and organizing a workshop and making this really happen so they can touch and feel and see how it is and what the consequences are. Normally after cyber attacks, the situation changes radically. So the situation you're describing, as many, many companies have undergone such attacks, is not so much there, but I agree there are still some companies where you will find this situation. Yeah, so at Haze, we're a people business, right? So we're in 33 countries, 11,000 people, we put a person in a job every 22 seconds. So we think about that, the kind of communication and network it takes to do something like that. So I spend a lot of time talking to board members, I'm talking to CISOs who can't get to their boards, who don't want to hear from their CISOs, right? And it's a people thing. So sometimes my advice is, you know what, leave. It's time to leave. It's not a compatible relationship that you have. You guys have just not been able to find that synergy you need to make it work. Other times, as you said, if you bring somebody outside to advocate for you and help see it from another perspective, they realize the things you've been saying sound better from somebody else. I've gone in as an external consultant, and I've said exactly what the CISO said, and they said, yes, that's what we need. And then she said, but they never listen to me, because it's an outside voice, because they don't think there's a hidden agenda. So it's really do everything you can to make that connection. And if you can't, move on. Let somebody else come and do it, because the chemistry is extremely important. Well said. Yeah. I do think you're right about the external voice. It's so frustrating having been a CISO and finding that a report comes in with Deloitte stamp on it and a massive price tag saying exactly what I said, and suddenly they'll believe that one. Very frustrating. But I think one way to get through is all of those are very true. I think another way is peer comparison. If you can actually bring to them and say, this is what all of our peers are doing, and we're not. We're falling behind. That will drive some impetus. And finally, compliance. You just walk in with a compliance standard saying, we have to do this. Compliance requires us to do this. There's no option. We just have to do it. Full stop. That's always a good way to get something moving, too. Any last comments on that? Then maybe we do have time for one more question. So what advice would you give to a CISO working for a company in a tight economic situation where budgets are getting very tight? Make sure you report to the CFO. It's wonderful. Many CISOs don't take a business case to the board with them. So I was supporting a company one time, and I showed them that I could help them save about 1.5 million euro and make them more secure. And the reason was they had multiple endpoint protection systems. There was no economy to scale by. I brought a business case together. I showed the value of doing something like this. And the next question they asked me, they asked me two questions. Why haven't we done it yet? I said because nobody looked at it. What else is out there? Oh, so glad you asked. And here's more. So there are plenty of hidden champions, plenty of solutions out there that are not being leveraged. Yeah? Or you've suboptimized your spend because you're not doing it centrally, and it's just buying pieces. It's called nickel-diming. You're buying pieces and parts over here. So in a tough economic situation, when you can find cost savings, optimization, improved automation, help save money, well, people listen to you. And you can still be more secure and save money and be more effective. It's possible. So about positioning the business case. Absolutely. Not just the risk case. Yeah. Another thing to do is just make sure you're spending your money wisely. I was chatting to a CISO a couple of months ago, and he said he moved into a new role, and they had a server control in place, and they paid for it for 100% of their server estate. When he did the analysis, it was deployed to less than 2%. So they had all of this money they were spending and not getting the value from. So I think one of the first things I always do in a new organization is just say, what have we got? And what have we got that we're not using? What controls? And how are you maximizing your current spend? Because honestly, there's a lot of value being left on a shelf that's just not deployed, not being used. Excellent points. Being a good steward of the funds that you do have to prove to get more. And we all agree it's an extremely important matter. So if you're not getting the money you need, probably you have a problem of trust. And this is not always easy to resolve. So if the fundamental problem of trust, either it's the wrong board or the wrong CISO, and somehow we have to resolve that. And if you don't, I mean, risk opportunity and those topics, the trust topic, they have to have alignment. Also, you can express this in your org chart. And if you do that, you should not run into those conflicts, if there's a common understanding. And if not, then you have to create that alignment. It's fairly simple. Absolutely. Very true. Maybe one last thing on that. So if you look at the last 28 years, and you watch as an economy takes a downturn and people start cutting money, and then they cut cyber or security, yeah, eventually they get hacked and they spend more later. So if you go look at the trends over the last 20 years, what you see is you see a dip in the economy, a rise in cybercrime, an increase in spending, and it just goes like this. So if you can have the right communication method to show them that cutting now will cost you more later, they may not want to cut you. But if that relationship's not there, you can't have that conversation. You have to have that trust. I agree 100%. Yeah. Excellent. Well, and then on that note, we will wrap it up. Thank you so much, gentlemen, for joining us today. Please, a round of applause for our panelists.

TL;DR

  • Cloud transformation elevated cybersecurity from an IT operational concern to a strategic board-level responsibility, fundamentally changing how organizations govern data protection and third-party risk.
  • The panel debates whether CISOs should hold formal board seats, concluding that board observer roles offer a practical compromise while full board membership requires business acumen beyond technical expertise.
  • Building effective security culture requires executive commitment demonstrated through behavior, not just policy—leaders must visibly participate in training and communicate security as a business enabler rather than compliance burden.
  • In tight economic conditions, CISOs should present business cases showing cost optimization opportunities through consolidation, automation, and eliminating redundant controls rather than purely risk-based budget requests.
  • Effective CISO-board relationships depend on individual one-on-one conversations with board members to understand their priorities and align security initiatives with their specific concerns and projects.

Cloud Transformation and the Evolution of Board-Level Security Focus

The panel opens with Carsten Thoma reflecting on how cloud transformation fundamentally changed board-level cybersecurity discussions over the past three decades. Before cloud adoption, organizations had more control over where data resided and how it was protected. The shift to cloud infrastructure introduced new complexities around data sovereignty, multi-tenancy risks, and third-party dependencies that boards now must actively govern. This transformation elevated security from an IT operational concern to a strategic business risk requiring executive oversight. The discussion establishes that nearly every modern organization is now a technology organization, making security intrinsic to business operations rather than a separate function.

The CISO's Evolving Role: Board Member or Strategic Advisor?

A central debate emerges around whether CISOs should hold formal board positions. Andrew Rose argues that while boards need cybersecurity expertise, the CISO role is already too vast and operationally demanding to effectively serve as a board member. He suggests CISOs must have opinions on HR strategy, M&A activity, and broader business initiatives beyond security to be effective board members, which dilutes their core focus. Michael Beaupre counters that full-spectrum CISOs with business acumen, P&L understanding, and soft skills can successfully bridge technical teams and board governance. The panel converges on the importance of board observer roles as a practical compromise, ensuring security leadership has consistent visibility into governance discussions without the full burden of board membership. The consensus is that readiness depends on organizational maturity, industry context, and the individual CISO's skillset.

Building Security Culture Through Behavioral Change and Executive Commitment

Ricardo Diaz-Rohr emphasizes that cybersecurity culture must be led by example from the top. He recounts an incident where a board member's assistant asked how to exempt the executive from mandatory security training, illustrating how leadership behavior signals organizational priorities. The panel discusses positioning security as a competitive advantage rather than compliance overhead, particularly for organizations where security can serve as a sales differentiator. Michael Beaupre highlights that awareness training alone doesn't change risk—behavioral modification is essential. The discussion references SoSafe's psychological approach to security awareness, emphasizing that effective programs must resonate with employees' daily work and cultural context. Making training competitive for sales teams or contextually relevant for different departments increases engagement and drives lasting behavioral change.

Navigating Budget Constraints and Demonstrating Security ROI

When addressing tight economic conditions, the panel stresses the importance of CISOs presenting business cases rather than purely risk-based arguments. Michael Beaupre shares an example of identifying 1.5 million euros in savings by consolidating redundant endpoint protection systems while improving security posture. Andrew Rose notes that many organizations pay for security controls deployed to less than 2% of their intended coverage, representing significant wasted investment. The panel advises CISOs to conduct spend optimization audits, eliminate redundancies, and demonstrate cost savings through automation and centralized procurement. Karsten Thoma adds that trust between the CISO and board is fundamental—if budget requests are consistently denied, it signals either misalignment in communication or a fundamental relationship problem that may require organizational change. The historical pattern shows that cutting security budgets during downturns leads to breaches and higher costs later, making proactive investment the more economical path.

Chapters

0:00 - Introduction and Panelist Backgrounds
2:30 - Cloud Transformation's Impact on Board Focus
5:00 - Should CISOs Sit on Boards?
7:50 - CISO Role Evolution and Accountability
9:30 - Bridging Board-Security Knowledge Gaps
12:30 - Risk-Based Decision Making
15:30 - Building Security Culture
19:00 - From Compliance to Competitive Advantage
23:00 - CISO Reporting Structures
24:30 - Gaining Executive Buy-In
27:30 - Navigating Budget Constraints

Key Quotes

2:40 "The biggest change over the past three decades was also triggered by the cloud transformation. You had much more choice in a non-cloud world, like how do you protect your data, where does the data reside? That was a massive shift for almost every company."
7:07 "I am personally feeling that the CISO shouldn't sit on the board. The CISO's job already is so vast and so complicated, and you're torn in so many different directions. If you want to be an effective board member, you've got to have opinions on everything they talk about."
9:07 "You're not protecting the systems, you're protecting the people and the customers who rely on the systems. You're protecting the brand, you're protecting the reputation, you're protecting a whole lot more. Market share, customer satisfaction, shareholder satisfaction."
15:06 "It's not so long ago that the board member, the secretary of a board member addressed me and asked me, look Ricardo how can we avoid that my boss has to do this annoying cyber security training. I had to explain to this board member how important it is that not only he does it, but nobody talks about this."
19:26 "Trust is earned in drops and lost in buckets. If you deal with new technologies, if you deal with data, if you deal with new business models, you're also prone to new threats. We have to accept this in a company environment as we have to accept this as a society."
28:05 "I showed them that I could help them save about 1.5 million euro and make them more secure. The reason was they had multiple endpoint protection systems. There was no economy to scale by. I brought a business case together."

FAQ

Should every company have a CISO on their board of directors?

The panel concludes it depends on organizational maturity, industry, and the individual's skillset. Board observer roles offer a practical compromise, ensuring security leadership has governance visibility without requiring the CISO to develop expertise across all board topics. Full board membership works best when the CISO has strong business acumen, P&L understanding, and can contribute beyond security topics.

What should boards ask their security leaders to understand if security is adequate?

Rather than asking for a security score out of 10, boards should focus on whether the organization is doing enough to manage risk within acceptable tolerance levels. This requires ongoing dialogue about the organization's most valuable assets, what creates market position, and how security controls align with protecting those priorities. The conversation should be risk-based and contextual rather than seeking absolute security metrics.

How can CISOs gain executive buy-in when boards don't understand cybersecurity risks?

The panel recommends several approaches: bring in external consultants to validate internal recommendations, use peer comparison data to show the organization is falling behind competitors, leverage compliance requirements as non-negotiable drivers, and have individual one-on-one conversations with board members to understand their specific priorities and align security initiatives accordingly. If these approaches fail, it may signal a fundamental trust problem requiring organizational change.


Categories:
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Compliance & Governance
  • Executive Briefing
  • Best Practices
  • Cloud Security
  • Panel
  • Board-level cybersecurity governance
  • CISO role evolution and accountability
  • Cloud transformation security implications
  • CISO-board communication strategies
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: SoSafe: Board-Level Cybersecurity Governance & CISO Accountability

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version