CISOs & Cybersecurity: 7 Best Practices for Effective Board Communications
A short time ago, JM Search broke down the top six cybersecurity trends influencing CISOs today. The common thread throughout the piece was surprisingly low-tech, but nonetheless important: simple, human communication might just be the greatest tool a CISO has in bolstering their company’s cybersecurity efforts.
In this article—the first in a six-part series—we’ll dive deeper into the first trend: the importance of clearly communicating cybersecurity issues with board members and executive leadership.
Trends shaping boardroom cybersecurity discussions
Even with discussions around cyber risks spiking in recent years, cybersecurity still isn’t necessarily perceived as the highest risk for businesses amongst executive leadership teams. Although cyber risks are top of mind for CISOs, it is critical that CISOs enter discussions on the subject keenly aware that those risks may not necessarily be viewed as the highest priority for boards and senior leaders.
One area that is almost universally top of mind to all businesses is ransomware. Due in part to media coverage surrounding high-profile attacks, many boards are eager to hear how CISOs are being proactive to prevent attacks, how they are improving detection, what the organization’s incident response plan is, and what backup plans are in place for data. Simply put, while CISOs are expected to brief boards on immediate cyber threats and risk, they also should be prepared to share the specific measures they are taking to proactively protect the business from future risks on the horizon.
Furthermore, the constant media coverage, coupled with growing threats, have forced many boards to become more technically savvy regarding cybersecurity. Businesses have even started to seek out IT and security executives to join their boards to play key advisory roles on critical business challenges. This is an evolutionary change that is helping boards to better understand that business success and technological literacy are now inextricably linked. The federal government is also contributing to this evolution and becoming more involved in public boards and their risk posture and expertise. In fact, The SEC recently proposed new rules that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise.
In light of these trends, how can today’s CISOs strike the right balance when communicating on business risk and cyber strategy to boards? Here are seven best practices for CISOs to consider in the boardroom.
Keep it simple
To start, boards are interested in getting a clear picture of the current state, which should be directly tied to business risks. CISOs should know their organization’s top business risks and be able to speak to them in detail when necessary. However, time is precious when it comes to meeting with boards so keeping the messaging simple and concise, without cluttering it with technical jargon, is the most effective strategy.
Balance is also important. CISOs must walk a fine line between keeping a message too simple and providing too much technical detail. Educating the board on the necessary technical details can help them to have a greater appreciation for the importance of a mature and robust function, but too much jargon can become confusing and detract from the conversation.
Tailor the message to your audience
When preparing to brief the board on the current state of information security and risk, it is critical for CISOs to know their audience and tailor the presentation to their levels of expertise. Board representation and dynamics can vary drastically, even between similar businesses, so it’s important to really know the composition a board and take these factors into account when preparing for board reporting.
For an incoming CISO, it’s recommended to schedule one-on-one interactions with board members to gain an understanding of their level of familiarity and sophistication with information security, their backgrounds, and their preferred messaging styles. These specific insights will be instrumental in helping to influence how to tailor future board communications more effectively.
Take a business stance
When communicating with boards, it’s essential that CISOs clearly demonstrate how each topic aligns with or supports the overall business strategy. Sometimes a CISO will enter a boardroom and lead with frameworks, privacy, and compliance without indicating how these areas tie into business outcomes. This is a challenge all CISOs face, and it’s important to ensure the board understands how the intricacies of cybersecurity tactics will ultimately help the business meet its goals.
Tie emerging trends to the business
Boards are typically aware of macro trends across various industries. It’s always good to acknowledge these, but only against the backdrop of the business context. Anything else could be regarded as irrelevant noise.
Another valuable exercise is educating the board on threat trends. By focusing on who is getting targeted most, interesting correlations can be drawn to the business. There’s a tendency for board members to want to benchmark against competitors or the industry at large, but this is often a fruitless exercise. After all, who really cares about being the best among a bunch of other companies if some competitors are doing the bare minimum? It’s important to elevate the board’s understanding of risk, and by benchmarking in this way, a CISO may accidentally provide a false sense of security.
Combine metrics with visuals
While CISOs should avoid an abundance of jargon, it’s important to build and present information in a compelling way. Leveraging metrics along with visuals to tell a story is a great way to do just that. Well-thought-out visuals can be very effective in a board setting to communicate complicated issues in a digestible way that resonates with everyone, regardless of role. It’s almost always worth the investment to seek out professional assistance to build a visually stimulating deck for board conversations.
Brevity is key
As with most forms of communication, keeping things concise is recommended. In most instances, CISOs should aim to keep their briefs between 10 and 15 minutes. This strategy will help ensure CISOs don’t get too in the weeds with technical details and maintain a high-level, clear stance on the most important and relevant elements of their cybersecurity program. A good way to do this is to start at the ground level with the security team. By the end of the presentation, it should be clear to everyone how maturing the program would result in risk reduction. And the all-important business case must of course be made.
Maintain communication between meetings
As with most big presentations, consistent messaging is key. Prior to and in between board meetings, CISOs should proactively ease any potential concerns with regular communication related to current events and the company’s risk posture related to the topic. Transparent and regular communication with key internal stakeholders can help avoid any unnecessary surprises in the boardroom.
CISOs should also have a consistent, repeatable framework for board briefings to ensure the leadership team and board are aware of what is going to be discussed and when. Additionally, if there are planned topics that may result in tough conversations, it’s a good idea to have dialogue on these topics in advance of the board meeting to ensure alignment and joint ownership of any problems/solutions.
Like most things in life, preparation and practice are instrumental in helping land effective board communications. Today, some CISOs are benefiting from seeking out training focused on engaging with the board of directors using many of the tips outlined here. There are even a number of certifications and formal education programs designed around presenting risk management to a board.
Board meetings are a tremendous opportunity for CISOs to translate the importance of cybersecurity into actionable measures. CISOs that excel at boardroom presentations successful demonstrate the invaluable role of a CISO and why they are an irreplaceable entity in the company. As leaders understand the implications of their message, they not only begin to recognize the value of CISOs but depend on their expertise for the business.
Interested in learning more about the trends shaping the cybersecurity landscape? Reach out to the JM Search team or subscribe to our blog to stay up-to-date on trends shaping the human capital landscape.