SecurityScorecard

A CISO's Guide to Communicating with the Board

By Michelle Wu

Posted on May 18, 2017

Communicating with the Board of Directors can be one of the most difficult tasks that a Chief Information Security Officer (CISO) is responsible for. Whether it’s because of differing priorities, a lack of clear information, or simple indifference, a CISO can have trouble getting the Board on the same page if he or she is not properly prepared.

Use these suggestions at your next board meeting to increase collaboration and make your reporting more effective:

Summarize progress and accomplishments

Like it or not, as a CISO, you must continually prove your worth to the company. Part of this is reassuring the Board that you are effectively managing the cyber security program. This can be done in many ways:

  • Create a list of current and finished projects since the last meeting and explain how they have positively impacted the company
  • Summarize spending on the security program, with an emphasis on the return that will be obtained from these investments
  • Quantify how the company is more secure now than in the previous meeting (e.g. vulnerabilities closed, incidents resolved, fewer alerts generated, etc.)
  • Discuss future security projects which will further improve the company’s security posture

Remember to represent these accomplishments in terms of value added, money saved, threats averted, and so on, instead of simply showing a list of remediated vulnerabilities. An explanation of “Project X avoided $5 million in losses” is more effective than “Project X implemented HTTPS encryption on production data,” since the Board won’t understand the implications of that technically-explained risk.

The main takeaway here: it is important to keep your discussions brief and at a high-level, because you don’t want to lose board members’ interest with technical details. Have a small packet available with more in-depth information on each project in case they want to review it further.

Speak the same language as the Board

It’s important to keep your boards interest as you communicate progress and accomplishments, and you should extend that lesson to all your communications to the Board.

You already know that the Board of Directors is mainly concerned about the company’s growth, reputation, and financial health. This can create a communication rift with them since a CISO’s top problems and priorities are often not focused on these areas – after all, in their eyes, your company isn’t technically losing money by using a Windows Server 2003 environment, or not encrypting customer data, so why is this really an issue? Security professionals understand the importance of these issues, so take that understanding and translate it into terms that can be easily understood by the Board.

The easiest way to do this is to express your priorities in terms of financial or reputation impact.  If you don’t get funding to upgrade your Server 2003 infrastructure, what is the likelihood that a vulnerability in that OS will lead to a data breach? If a breach happens, what will that cost the company in money, reputation, and lost trust? Will you lose your entire customer database worth $10 million, or will you suffer negative PR in the media? These are repercussions that will be clearly understood by the Board.

You can also spin your projects into money-making opportunities instead of representing them as costs that must be paid. For example, if you had enough budget to lock down your systems and achieve ISO:27001 compliance, that may convey to some of your prospective clients that your company is a secure place for their data- which could be the difference between you or one of your competitors winning that contract.

Build a risk heat map

Board meetings aren’t all about asking for more budget: You also have to communicate the current state of your organization’s security risks so that the Board is properly informed. Instead of a 20-page technical document with IP addresses, system names, and something about an OWASP Top 10, give your Board an easily-digestible summary in the form a heat map.

Heat Map

  • Step 1: Draw out a matrix as pictured above, with “likelihood” and “impact” axes.
  • Step 2: Put your top 5/10/20 security risks to easily represent the severity of each issue.
  • Step 3: Have a key under the graph with your risk items labeled and numbered for the Board to reference if they want additional information.

This format helps board members have an easy, high-level understanding of your security posture, and helps you highlight particular areas of concern that may require additional resources from the Board.

Benchmark your company against peers and competitors

One of the biggest motivators to a Board of Directors is knowing that an area of the company is lagging behind your competitors. Whether it’s financial growth, operational processes, or level of customer service, the need to be better than the competition can motivate your Board to move mountains. Capitalize on this by representing your company’s security posture as it compares to peers and competitors in your industry.

How are you supposed to know what your competition’s security is like? One of the easiest ways is to use an independent security rating company (like SecurityScorecard) to get an unbiased look at how you stack up against your competitors.

Benchmark

You can quantify the data you find in a number of ways:

  • Percentage of service uptime
  • Number of data breaches
  • Financial loss due to security incidents
  • Security program spending
  • Industry certifications held, and more

This can be a win-win situation whether you’re beating the competition or not: If you’re behind, the Board will be motivated to catch up, or if you’re ahead, explain how continued investment in the security program will help you maintain that edge.

With a new company in the news headlines seemingly every day for security breaches, board members are taking a closer look than ever at their company’s data protection. Ultimately, they want to be assured that security directors aren’t sitting around idly, waiting for an incident to happen before making improvements to their systems. Implementing the strategies above will give your board visibility and allow you to demonstrate to the Board how you and your teams are being proactive in protecting the organization from attackers.


Related Posts

Top 3 Third Party Risk Management Challenges – and How To Conquer Them

Posted May 11, 2018

Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.

IT Cybersecurity Risk Assessment: A Step-by-Step Guide

Posted May 09, 2018

Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.

The Value of a Vendor Risk Assessment Template

Posted June 01, 2018

Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.

Critical Metrics for Measuring Detection and Response

Posted March 27, 2019

Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.

9 Cybersecurity Metrics + KPIs to Track

Posted July 08, 2019

You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.

Information Security Metrics for Executives and Board Members

Posted October 14, 2019

Metrics are important, no matter how far up the corporate ladder you are. Check out these infosec metrics for executives and board members.

 Information Security Metrics For Executives

Read More Blogs

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!