Posted on May 18, 2017
Communicating with the Board of Directors can be one of the most difficult tasks that a Chief Information Security Officer (CISO) is responsible for. Whether it’s because of differing priorities, a lack of clear information, or simple indifference, a CISO can have trouble getting the Board on the same page if he or she is not properly prepared.
Use these suggestions at your next board meeting to increase collaboration and make your reporting more effective:
Like it or not, as a CISO, you must continually prove your worth to the company. Part of this is reassuring the Board that you are effectively managing the cyber security program. This can be done in many ways:
Remember to represent these accomplishments in terms of value added, money saved, threats averted, and so on, instead of simply showing a list of remediated vulnerabilities. An explanation of “Project X avoided $5 million in losses” is more effective than “Project X implemented HTTPS encryption on production data,” since the Board won’t understand the implications of that technically-explained risk.
The main takeaway here: it is important to keep your discussions brief and at a high-level, because you don’t want to lose board members’ interest with technical details. Have a small packet available with more in-depth information on each project in case they want to review it further.
It’s important to keep your boards interest as you communicate progress and accomplishments, and you should extend that lesson to all your communications to the Board.
You already know that the Board of Directors is mainly concerned about the company’s growth, reputation, and financial health. This can create a communication rift with them since a CISO’s top problems and priorities are often not focused on these areas – after all, in their eyes, your company isn’t technically losing money by using a Windows Server 2003 environment, or not encrypting customer data, so why is this really an issue? Security professionals understand the importance of these issues, so take that understanding and translate it into terms that can be easily understood by the Board.
The easiest way to do this is to express your priorities in terms of financial or reputation impact. If you don’t get funding to upgrade your Server 2003 infrastructure, what is the likelihood that a vulnerability in that OS will lead to a data breach? If a breach happens, what will that cost the company in money, reputation, and lost trust? Will you lose your entire customer database worth $10 million, or will you suffer negative PR in the media? These are repercussions that will be clearly understood by the Board.
You can also spin your projects into money-making opportunities instead of representing them as costs that must be paid. For example, if you had enough budget to lock down your systems and achieve ISO:27001 compliance, that may convey to some of your prospective clients that your company is a secure place for their data- which could be the difference between you or one of your competitors winning that contract.
Board meetings aren’t all about asking for more budget: You also have to communicate the current state of your organization’s security risks so that the Board is properly informed. Instead of a 20-page technical document with IP addresses, system names, and something about an OWASP Top 10, give your Board an easily-digestible summary in the form a heat map.
This format helps board members have an easy, high-level understanding of your security posture, and helps you highlight particular areas of concern that may require additional resources from the Board.
One of the biggest motivators to a Board of Directors is knowing that an area of the company is lagging behind your competitors. Whether it’s financial growth, operational processes, or level of customer service, the need to be better than the competition can motivate your Board to move mountains. Capitalize on this by representing your company’s security posture as it compares to peers and competitors in your industry.
How are you supposed to know what your competition’s security is like? One of the easiest ways is to use an independent security rating company (like SecurityScorecard) to get an unbiased look at how you stack up against your competitors.
You can quantify the data you find in a number of ways:
This can be a win-win situation whether you’re beating the competition or not: If you’re behind, the Board will be motivated to catch up, or if you’re ahead, explain how continued investment in the security program will help you maintain that edge.
With a new company in the news headlines seemingly every day for security breaches, board members are taking a closer look than ever at their company’s data protection. Ultimately, they want to be assured that security directors aren’t sitting around idly, waiting for an incident to happen before making improvements to their systems. Implementing the strategies above will give your board visibility and allow you to demonstrate to the Board how you and your teams are being proactive in protecting the organization from attackers.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.