world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
Over the last few years CISOs have earned a seat at the table and the ear of the board. And odds are that the importance of CISOs will continue, as bad actors ramp up their attacks — in both subtle and not-so-subtle ways — and boards become more fluent in cybersecurity and its impact on the business.
It’s more important than ever, then, that CISOs capitalize on this moment and create — then maintain — synergy with the board of directors.
The role of the CISO has further secured this seat at the table especially since the pandemic, so the timing is favorable. The sudden pivot to a work-from-home (WFH) model caught the board’s attention, and debilitating ransomware attacks and geopolitical events have picked up where the pandemic left off. The U.S. government has even contacted boards directly about cyberthreats. Board members now understand what cybersecurity can mean for a business — with 88 percent of boards in a Gartner survey recognizing cybersecurity as a business risk.
When it comes to communicating with the board, today’s CISO must know what to say, how to say it, and when. So how does a CISO gain visibility with the board and keep it? Security leaders should keep the followings dos and don’ts in mind.
Gone are the days — mostly — when CISOs stand before the board once a year with a single slide presentation that yields nothing but crickets from the audience. Now that many boards have hired members who have some expertise in security, and/or have created separate security committees to gain a greater understanding of the threats their organizations face and how to reduce or eliminate them, they’re likely to have questions for the CISO standing before them.
Although modern CISOs aren’t fortune-tellers, it’s important to anticipate what some of the most critical areas of importance are for the board. Be prepared to answer any and all security questions in relation to those areas — whether it’s a recent headline-grabbing threat, a new technology implementation, or a policy that impacts the entire workforce.
While boards are more interested in what the CISO has to say these days, don’t waste time — the board’s or yours — with slides designed to fill space or just make the presentation beautiful. Time before the board is limited, so carefully consider what members need to know. No matter what you present, don’t forget to back up assertions with facts and examples. Keep it simple, direct, and to the point when it comes to sharing this information.
Boards may be more tech-savvy than ever before, but the bits and bytes alone won’t sway them. In fact, too many technical details may cloud the picture a CISO is trying to paint. Don’t completely avoid being technical, but don’t let tech dominate the conversation either. Using technical points to underscore business assertions and goals can go a long way in bolstering your message.
CISOs shouldn’t be shy when explaining what they’ve done to protect their companies or their successes in spurning threats. Of course, don’t be arrogant. Instead, project confidence. Boards are filled with people who have achieved success in their own right and, by and large, they are drawn to those who have done the same. Meet them where they are, assume a calm, cool demeanor, and exude confidence and competence. Talk about what your team is doing and how they’re going to prove that security measures work. Be prepared to answer the question, “Are we secure?”
Don’t get trapped in a bubble, where all the talk during a board presentation centers on internal affairs. Board executives are well aware of incidents like the Colonial Pipeline ransomware attack or the Kaseya VSA ransomware attack — if for no other reason than the impacts were dramatic and startling to those businesses. Be sure to include an industry slide in a presentation that addresses what’s going on in the rest of the world, particularly in your organization’s industry, and how the security team is addressing the potential impact internally. It's always prudent to preempt the questions a board will ask about something occurring in the news.
Despite the best-laid plans, companies can still experience a security breach or some other security event. Don’t try to skirt or minimize the issue with the board. Instead, explain what happened, describe how security measures in place reduced the impact, and seize the opportunity to talk about security investment that could prevent such incidents in the future.
When times are tough or more money is needed to lock down systems and safeguard data, it’s tempting to lay it on thick about the dire state of security at an organization. Resist that temptation. Of course, avoid sugarcoating the truth, but also stay away from taking a doomsday tone and emphasizing only the bad. Instead, highlight problems, but give the board a few pearls of what went right and how to build on that. Present a plan for dealing with the negatives and becoming more proactive.
While companies should trust in their CISO’s expertise and competence, a lone voice might not be convincing.Sometimes, particularly if a CISO is new, hiring a consultant to assess a company’s security posture can go a long way in bolstering the CISO’s case with the board. A respected name whose findings back the CISO’s assessment might be enough to sway the board. But CISOs should make sure that they steer the third party toward the metrics they want rather than giving them free rein.
It’s easy to complicate a presentation or serve up a word salad that will annoy or confuse board members.But presenting information in the form of a score — a ranking, a grade, or a color-coded system, perhaps — using a popular framework like NIST CSF can catch the board’s attention and provide information in a way that members can easily grasp. Think of grades like A through F or a stoplight’s red, yellow, and green lights to mark an organization’s cybersecurity progress and identify vulnerable spots. Just make sure to choose a well-known framework and update the scores frequently.
It’s not good enough to just show up and read your report before the board, or to prepare simply by reading the board members’ bios. Get to know the board by doing some in-depth research to try to understand individuals’ priorities, preferences, and styles. Then speak to these priorities during your presentation.
Don’t assume that all board members are alike or will take in and process information in the same way. While speaking before the board, CISOs should read the room, taking in who’s paying attention, who’s quick with questions, and who seems to relate well to the information being presented. Try to build a rapport with those people both inside and outside of the boardroom, and use them to gauge how to shape presentations and form relationships with other board members.
Meeting with the board shouldn’t be treated as a one and done. It’s easy to get caught up in creating a spectacular presentation for an annual meeting and forget that board oversight and participation is an ongoing process. CISOs must look for ways to reach the board throughout the year, perhaps by sending out regular updates or even a newsletter. But tread carefully so as not to bombard the board with unwanted contact or break protocol by going over a superior’s head.
The best CISOs are good at tapping their peers for technical advice and to swap war stories. Those same peers can also be valuable resources for understanding what boards are seeking and how to better partner with them. It may take some time and effort to nurture a synergistic relationship with the board, but it’s well worth the effort. CISOs and boards can become powerful allies against mounting cyberthreats to the enterprise.
