What can CISOs/CIOs do to be effective despite lack of board readiness?

Lack of board “readiness” is interesting - if they aren’t reluctant and just not prepared that is the key effort. Many approaches to this.

If the board doesn’t care, as others have suggested, a CISO/CIO can update their LinkedIn profile and start a stealth job search to be effective.

A mentor taught me to never sell security to folks who don’t care. He'd been doing this since the '90s, and I was working for him in the mid to late 2000s. It just stuck with me: there will always be this element of crisis, and it's needed—from a defensive standpoint, all security ultimately comes back to being the product of something bad happening a lot of the time. So don’t go in trying to educate folks on why they need to care. Find the people that actually care already, and chase them down.

Usually I have selected roles where IT security functions were pretty well valued. I've had opportunities come up when an organization wants a head of security, and I’ll ask them, “How does the company feel about security?” If they say, “The board doesn't care. They have no interest," in an interview, then I’ll turn down that role. I shouldn’t need to teach you about why my job is important.

A company can say all the right things, but if their concern isn’t real then you'll be giving all these presentations, and when it actually gets back to leadership, they say, "Yeah, our security's good—we got breached, but we have you and some other people now, so we're good." Organizations have to understand that security professionals are not a statue you put in a place. They're not like a rottweiler in a junkyard. You have to actually invest in what they're doing.

But changes are happening. In a lot of those conversations with leadership about security, people would just nod along and say, "Okay. Uh-huh. No, I'm listening, yep, uh-huh." Now it is, "Tell us how you're going to actually stop this because we're all shareholders."