Has increased media attention on cybersecurity improved communication between board leadership and CIOs/CISOs?

Our board is very well engaged. I report into the Audit Committee, which also has a cybersecurity component. Every quarter since we established the CISO organization, we present our roadmap. We also meet with a couple of our board members quarterly for guidance and to find out what they are seeing in the broader industry. They sit on various other boards, so it's good to get their input.

I've been with Viavi for a couple years now in the CIO role and when I joined, there was no CISO organization. I said that we need to have a dedicated service organization, it cannot be embedded within an organization. So we created three competencies within IT. One is business applications, planned operations and cybersecurity, so we appointed a CISO. And we also looked at benchmarks for the industry standard of how much spend is ideal for a CISO organization. If you don't allocate a resource, both in terms of manpower and budget, it's a CISO in name only. You need to empower those teams to make sure that they get the things done.

The best time for a CISO is to come in right after a major failure. Because at that point in time, the world says, "You're the most important person." Before that, everything you do is considered an extra or a cost that actually reduces customers’ ability to use our environment as efficiently and effectively as I'd like them to, whether they're employees or external customers. That's a sad state of affairs.

I went to assess an organization once at a publicly traded company. I looked at the CIO and their organization, who was brought in by someone above them; the CISO in their organization; how they were presenting to the board and what they were presenting to the board. The scary thing is they were presenting information to the board to give them a false sense of security. They were telling them what they wanted to hear, not what was actually happening—then a breach would happen. During my time working with this company, a breach had just happened before my arrival and a second breach happened while I was still there. And then a third breach happened, right toward the end of my time working with them. The end result was they finally lost confidence in both their CISO and CIO and the whole organization was decimated, which was great for them.

But this situation is not an outlier. I see this happening across organizations where the relationship between the board and the CIO is not strong, and they're not having transparent, candid conversations. I can give you plenty more examples of publicly traded companies in which CIO and board don't have a good relationship if they have a relationship at all. And if that gap is a problem, the gap between the board and the CISO is an even bigger problem. There's not enough conversation or work to try and close that gap. And that's part of the core issue with cybersecurity—that's the big elephant in the room.