Selling confidence in the boardroom – a guide for CISOs
Once upon a time, cybersecurity was just a matter for IT types – a subject for specialised professionals that included programmers and networking teams. Board member involvement would extend to general discussion of new regulatory requirements or looking at an HR issue like privacy.
These days the ever-growing risk of attack and the potential brand impact – valued at $223bn if we look at the potential cost of data breaches across the world's top 100 brands – have made cybersecurity a Boardroom priority.
While technology has been a great boon to business, it can quickly become a bane if your security measures are not up to scratch. Today's board members need to be kept in the loop with regular briefings. They need to know if they have an adequate security budget and are spending it in ways that best mitigate risk.
What all this means is that today's chief information security officers (CISOs) can't just be technical experts. They are now in the business of selling confidence to the Board.
How to communicate
While the most effective way to do this is by producing tangible results – such as no breaches, and low vulnerability scores – such metrics can often be difficult for Board members to understand if they're not conveyed in a clean, simple way. Communication is too often laden with technical jargon or buried by excess detail.
So, lesson one is to keep it simple. It doesn't matter what the subject might be. Your focus is simply the status of the enterprise's security and what (if anything) can be done to improve it.
Analogies are always a useful tool to help explain complex cybersecurity concepts and technologies in layman's terms for faster comprehension. Using real-life examples also helps ground the risk and impact.
It also helps to embrace "incremental messaging" – which essentially means doling out information in bite-sized chunks. Organise regular small briefings, not occasional big ones, to avoid overwhelming Board members with excess detail.
Dashboards can also help depict what's going well – and, perhaps more importantly, what is not. Use clean, simple graphs to convey complex metrics, and report on known vulnerabilities and risks.
What to communicate
It also pays to keep in mind that board members are, well, board members. They often think in terms of business impact. Translating how the probability of risk affects business operations is a good way to lead into requests for higher budgets, when necessary. CISOs should also be able to describe risk in probability terms. It's especially important to note that, when choosing the right cybersecurity solution, most board members will want or need to know whether aspects like ransomware, business loss, and legal liabilities will be covered in the event of an attack.
Above all else, it is important to exercise caution while communicating that the digital environment is secure and free from risk.
Highlight the victories you have achieved, and be confident about your cyber-defenses, and the knowledge and professionalism that you have brought to them. However, be humble enough to know some hackers may be more knowledgeable still; and be paranoid about what you should know but don't.
No cybersecurity system will ever be perfect. But a CISO can get pretty close.
Nonetheless, engaging with the Board on the topic of cybersecurity is challenging. Here are two guiding principles CISOs can focus on when sharing information with the Board:
- Share the strategy to mitigate risk in the event of an attack in case remediation does not work
- Update on how risk is transferred to cyber insurance in case both remediation and mitigation do not work
It is vital for CISOs to be well-prepared before conversing with the Board so they can instil confidence.
This will ultimately open doors to the spend and accountability required to develop robust safeguarding systems that protect the enterprise, its brand, and its customers.