CISO Tips for Effective Communication with the Board

Clean and effective communication with the rest of the board members is vital to getting your cybersecurity agenda across. 

A company’s board of directors and its executives are increasingly gaining the realization that the preservation of network security and the robust overall cybersecurity infrastructure of their company, is an essential task. This is not surprising. Not during a time of high-profile breaches and crippling cyberattacks that could pummel customer trust of a brand to staggering lows and have a very serious impact on the business overall. Large fines paid out toward regulators following a data breach are also on the rise, as are large, multi-million dollar settlements for lawsuits.

Yes, there is an ever-increasing demand for CISOs. Consider this: Home Depot had to pay out at least $19.5 million to compensate US customers following a 2014 data breach and hire a CISO, as a part of its settlement to oversee better cybersecurity measures in the company.

CISOs have understandably become a part of the executive board of companies and large organizations. They have earned a seat at the table, so to speak. However, other board members who have legacy positions, unlike the newly created ones for CISOs in the age of computing, do not believe the latter executives deserve a seat at the table.

Indeed, a Threat Track Survey from 2014 reported “while enterprises are increasingly turning to CISOs to head their cybersecurity operations, about three quarters of respondents (74%) overwhelmingly said they do not believe that CISOs deserve a seat at the table and should be part of an organization’s leadership team.”

While such an opinion is gravely understating the importance of a CISO, one can see why board members do not prioritize cybersecurity. They have other concerns, the likes of which board members have sweated over for decades. Chief among them is ensuring shareholders are kept happy by maximizing their returns.

For a new executive in a newly created position at a company, this can be a daunting task. It is therefore key that the CISO takes his or her opportunity to demonstrate the importance of their task, with what few opportunities they have.

It is important to make those 10-15 minutes count, while presenting to the Board of Directors at your company. Within 15 minutes, you are essentially tasked to summarize the security posture of the company and squeeze in all possible threats that could have an impact on the business. Succeeding here is key. To educate the board members of the security well-being, or lack thereof, in the company. To ensure that you firmly stake your claim for that seat at the table.

Understand and find out what their worries are. What they would do and how they would respond if a breach occurs overnight. The watching and listening board tend to blame CISOs for security incidents so they already have a vested interest in you. The Threat Track Security report revealed that 52% of CEOs, 35% of COOs and 43% of CFOs agree that CISOs deserve the blame for a security-related incident.

Here are four key pointers that will help every CIO or CISO with effective communication, while in the board room:

1) Forget the Acronyms. Leave them at the Door.

Keep the language simple and avoid technical jargon. Most of all, avoid the acronyms. No MiTM or even for that matter, no DDoS. While it may sound fundamental enough to you, a technical jargon could simply throw off an executive or a group of board members and derail the conversation entirely. Instead, settle for examples while talking about a DDoS attack instead.

2) Bring Visual Aids

Not the kind of visual aids that rely on a PowerPoint presentation made via slides. Board members and executives have seen plenty of those and many of them would even admit that a stack of PowerPoint slides is very boredom-inducing. No, what you’ll need are visual aids that could be as simple as an inspiring, beautiful stock photograph that can relay a message. Better yet, use some of the visuals from your solutions to fill your board in on what you’re working on.

Graphical reports that show progress toward security improvements and compliance work well, even more-so when adhering to a best practice security framework.

3) Use Simple Analogies

In a room filled with business veterans from various departments, a good way to get them hooked is to create relatable analogous stories to explain your points in an easy-to-understand way. If you have the chairman of the board paying attention to you, communicate your ideas to him with football analogies, or those of a popular sport.

Look for and identify that one or two board members who show an interest in cybersecurity. Even if they aren’t well versed in cybersecurity protocols or standards, their interest alone bodes well for you and your job. Share cybersecurity news stories with them, include statistics and information while away from the board room. Stick with simple analogies when talking about the most recent data breach that was triggered by a simple social engineering exploit.

When you have one or two board members hooked on what you have to say or share, they will be your supporters and help push your agenda, propagating it among other members of the board.

4) Use Numbers. Dollar Numbers.

The goal in any business is to ultimately make money. The employees, the business, the board meetings, they all exist to support and sustain that one irrefutable fact. Numbers matter. The board talks numbers with every other department of the company and will do so with the CISO, as well. While communicating hard dollars related to security can be a difficult task, there are ways to get around such hurdles.

  • Deliver those year-over-year comparison numbers showing outage from a security attack and build a parallel directly to the money kept or spent within the company.
  • Speculate and project on what the theft of intellectual property could potentially cost the company. These include PR expenses after the fact and investigative costs. Draw up these numbers by taking into account fines and costs from security incidents from other companies within your industry and outside of it.
  • Stick with that point and bring it home with a comparison of data breach numbers within your own company in the past, your specific industry and then, the overall cost of data breaches in the world.

Altogether, it can be a hard task to get your company’s board on your side, even if you find yourself in a position wherein you are simply looking for basic resources to set up an information security or data breach response program. Be proactive and positive. Make sure your agenda is on their agenda. Get them to care about cybersecurity the way you do.