Gartner, according to the article shared by one of my contacts in LinkedIn, predicts that by 2025 40% of Boards will have a dedicated cybersecurity committee. It’s a good news for Cybersecurity and GRC professionals of course. But I’m challenging this movement with a question “Do we really need a dedicated committee to get cybersecurity really get a serious attention?“
Cybersecurity as cross functional topic definitely should be on one of top priorities of the Boards and management. (Note: I’m using the term “one of“ because there are many more top priorities when running an organisation, cybersecurity cannot be the only top priority). However, in my personal experience, to be effective a CISO and the cybersecurity team need to have good working relationships and engagements with other functions, not just “stuck“ with IT. Because Cybersecurity is not just IT.
In reality, not all CISOs need to report to CEO although many argue that direct reporting line to a CEO can make a CISO more effective. But then his/her mandate need to cover the multiple functions in that organisation and it needs to be clearly articulated and emphasised by the highest governance leaders (not just a lip service). Because depending on the culture in an organisations, some would require clear reporting structure but some would be fine with clear mandate.
My personal concern reading that Gartner’s prediction is with organisations will end-up with "many committee” to make things happen. This eventually increase the cost of GRC instead of #SimplifyGRC. My vision of the topic: CISO and the cybersecurity team would have the right mandate that resonate across multiple functions, operational and tactical cybersecurity matters are solved together on that working level, and Cybersecurity items are discussed at the Board level just like any other topics in one (regular) meeting without structuring a dedicated committee.