Over the last few years CISOs have earned a seat at the table and the ear of the board. The odds are that the importance of CISOs will continue, as cybercriminals ramp up attacks, and boards become more fluent in cybersecurity and its impact on the business. It’s more important than ever then that CISOs capitalise on this moment to create and maintain synergy with the board of directors.
The role of the CISO has evolved especially since the pandemic. The pivot to a work-from-home model caught everyone’s attention, and debilitating ransomware attacks and geopolitical events have picked up where the pandemic left off. Board members now understand what cybersecurity means for a business, with 88% of boards in a Gartner survey recognising cybersecurity as a business risk.
When it comes to communicating with the board, CISOs today must know what to say, how to say it and when. So how do they gain this visibility and keep it? CISOs should keep the following in mind.
Come With Answers
Gone are the days when CISOs simply stand before the board once a year with a slide presentation. Now that many boards have hired members who have some expertise in security, and/or have created separate security committees to gain a greater understanding of the threats facing their organisations, they are likely to have questions for the person standing before them. Although CISOs are not fortune-tellers, it’s important to anticipate critical areas of importance. Be prepared to answer any and all security-related questions, whether it’s a recent headline-grabbing threat, new technology implementations, or policy that may impact the workforce.
Make Slides Meaningful
Don’t waste time – the board’s or yours – with slides designed to fill space or to make the presentation look nice. Time is limited, so carefully consider what the board needs to know. Don’t forget to support with facts and examples. Keep it simple, direct and to the point.
Balance Tech-Speak And Business-Speak
Board members may be more tech-savvy than ever before, but bits and bytes alone won’t sway them. In fact, too many technical details may cloud the picture. Using technical points to underscore business assertions and goals can go a long way in bolstering your message.
Strut Your Stuff
CISOs shouldn’t be shy when explaining what they have done or their successes. Project confidence and competence. Boards are filled with people who have achieved their own success, and by and large, they are drawn to those who have done the same. Talk about what your team is doing and that security measures work. Be prepared to answer the question, “are we secure?”
Address Outside Security Incidents
Don’t get trapped in a bubble where all the talk centres on internal affairs. Executives are aware of incidents like the Colonial Pipeline ransomware attack, so pre-empt any questions. Be sure to include information in a presentation that addresses what’s going elsewhere, particularly in your own industry, and how the security team is addressing the potential impact internally.
Come Clean About Internal Security Incidents
Despite best-laid plans, companies can still experience a security breach or other security event. Don’t try to skirt round the issue. Explain what happened, describe how security measures reduced the impact, and seize the opportunity to talk about security investment to prevent future incidents.
Accentuate The Positive
When times are tough or more budget is needed, it’s tempting to lay it on thick about the dire state of security at an organisation. Resist that temptation. Avoid sugar-coating the truth, but also stay away from taking a doomsday tone and emphasising only the negative. Present a plan for dealing with the negatives and becoming more proactive.
Get a Third-Party Audit
While companies should trust in their CISO’s expertise and competence, a lone voice might not be enough. Sometimes, particularly if a CISO is new, hiring a consultant to assess a company’s security posture can go a long way in bolstering the CISO’s case with the board. But CISOs should make sure that they steer the third party toward the metrics they want rather than giving them free rein.
Presenting information in the form of a score – a ranking, grade, or color-coded, perhaps – using a popular framework like NIST CSF can catch the board’s attention and provide information in a way that members can easily grasp. Think of grades like A to F or a traffic-light system to mark progress and identify vulnerable spots. Choose a well-known framework and update the scores frequently.
Do Some Reconnaissance
It’s not good enough to just show up and read your report. Get to know the board by doing some in-depth research to try to understand individuals’ priorities, preferences and styles. Then speak to these priorities during your presentation.
Cultivate An Ally
Don’t assume all board members are alike or will take in and process information in the same way. CISOs should read the room, taking in who’s paying attention, who’s quick with questions and who relates well to what’s being presented. Try to build a rapport with those people inside and outside of the boardroom and use them to gauge how to shape presentations and form relationships with other board members.
It’s easy to get caught up in preparing for an annual meeting and forget that board participation is an ongoing process. Look at ways to reach the board throughout the year, perhaps with regular updates. But be careful not to bombard the board or break protocol by going over a superior’s head.
It may take time and effort to nurture a synergistic relationship with the board, but it’s worth the effort. CISOs and boards can become powerful allies against mounting cyberthreats to the business.
Devin Ertel, Chief Information Security Officer (CISO), Menlo Security