Elevating Cybersecurity 2025

HR teams Responsibilities of the CISO to HR teams –Provide clear security policies, risk awareness guidance and timely updates on employee- related threats to help enforce compliance and promote a secure organizational cultureResponsibilities of HR teams to the CISO –Provide the CISO with up-to-date employee data, support for enforcing security policies and collaboration on training programmes to strengthen the organization’s security awareness and compliance culture Internal business units and employees Responsibilities of the CISO to internal business units and employees –Raise awareness of the cyber risks and the role each employee plays in the security and resilience of the business –Build a trusted relationship with open lines of communicationResponsibilities of internal business units and employees to the CISO –Consult on a regular basis and follow guidance provided –Report incidents in a timely manner The board as a cyber ally, not an examiner SPOTLIGHT Most CISOs from the World Economic Forum’s CISO community report interacting with their board on a regular basis, many quarterly. Regular, proactive engagement with the board is essential. CISOs should feel that they can ask boards for help or advice, as it is a collaborative relationship. Although first board meetings may feel like an exam to CISOs, the board members’ intention is not to test the CISO but rather to understand the full picture and share their experience on what is presented to them. Regarding corporate governance on cybersecurity matters, some organizations have set up a security committee midway through the quarter to get additional time to focus on cybersecurity issues outside of board meetings. Other companies run a dedicated subcommittee of the board with a focus on cybersecurity risk. Those security committees can help maintain focus on cybersecurity and continuity in dealing with it.A key to success is to raise the risks and challenges with the board before any potential threats become real issues, so there are no surprises if an incident arises. Qualitative metrics can help tell a story and demonstrate impact better than quantitative ones can. To prepare, CISOs should consult previous board reports to glean historical information on how cybersecurity has been discussed and addressed by the organization in the past. CISOs should create their own equivalent of a Richter scale: a mechanism for understanding and reflecting the degree of criticality from a scenario or a risk. It could also help boards prioritize what to focus on and what to ignore, parsing the signal from the noise and knowing when to become more closely involved. Successful CISOs proactively engage with the board, providing regular updates and insights on the evolving risk environment along with actionable recommendations. They understand that effective cyber risk management is not an isolated function, but one that must be integrated and synchronized with key areas like privacy, government relations, operations and sales to protect customers and the company. Laura Quatela, Non-Executive Director, Board of Directors, Lenovo Elevating Cybersecurity: Ensuring Strategic and Sustainable Impact for CISOs 14