CISOs increasingly are winning a direct line to boards, but it’s still a rarity. It’s a big missing piece because when it comes to security, boards do not always have the knowledge to ask the right questions that ensure that shareholder value is safeguarded, and everything is protected.
Ideally, that situation will be recalibrated and CISOs will be required to give quarterly statements to their boards informing them where the company stands in terms of business goals versus cyber risk.
Getting the board’s ear is not enough. Knowing how to present relevant information and conveying it without losing board members in a welter of terms they don’t understand is key. Knowing how to present the message is as important as the message itself, because if you don’t frame it right, then your opportunity to give the board a good reading of the situation — and ask for the things you need to fulfill your mission and theirs — might slip away.
There’s always been a debate over what type of information we present. If we go in and discuss metrics, your board is likely to tune out if it isn’t well-versed in the technicality of patches, endpoint protection and things like that. The board doesn’t want to hear about tactics – it wants to hear about strategy. It wants to know the significance of the information you’re presenting, and how it’s going to affect what the business does.
In other words, you need to frame your conversation with the board at the business level, and not in cyber jargon. That means talking about how a cyber risk turns into a business risk. Instead of saying, “We’re not patching the machines,” as CISOs might typically do, we need to translate things into dollars and cents, or reputational loss – things the board understands very well because it addresses the wellbeing of the organization.
Beyond choosing the right language, another way to get your message out and gain more attention to your cause is to build alliances with people who will be at those board meetings, like the CFO. Have conversations with them, take them on as mentors who have the power to really help you.
It’s also useful to have good outreach to the CIO and the CTO because our work requires partnership. If we need something important that aligns with the business goals, it, more often than not, will be related to technology.
Additionally, that alliance has the potential to alter the mindset from bolting on security after the fact, to building it in from the ground up.
Collaboration with the audit department is important, too. They’re not there to make our lives difficult. They are a company’s last line of defense; understanding their purpose and building a strong relationship with them can help to advance your agenda.
As with so many things, then, communication is key. It’s not what you’re asking, but how you’re asking. Framing the request in terms of the wellbeing of the organization and making alliances will determine whether you have success or failure.