Cybersecurity incidents are increasing, and with it, the pressure on CISOs to get cybersecurity right. At the heart of this challenge is getting the full support of the board of directors. The board sets the tone for the organization, gives the green light for adequate resources, ensures alignment of investments to company business objectives, and provides leadership at the organizational level on the importance of cybersecurity.
CISOs have found themselves having to hone a new set of skills around board communication and in articulating the cybersecurity program in a way that resonates with board members. Recognizing that this may be a knowledge gap for many CISOs, especially those coming up through the technical ranks, Kudelski Security conducted a research project together with members of its Client Advisory Council. The research, titled Cyber Board Communications & Metrics, seeks to help CISOs facilitate those conversations and can be accessed here.
For this project, Kudelski Security surveyed around 80 CISOs about matters relating to board communication, such as the most common and challenging questions the board asks them. Their collective responses provide insight into what interests boards the most, what keeps them up at night, and what questions are toughest for CISOs to answer. We ended up focusing on a total of five questions in depth, covering the different paths and strategies to answer them, but here are a few highlights.
Four Key Takeaways
Across the responses we received for each question, we identified a few key takeaways. Here is a peek into best practices advice to improve CISO communication with boards and instill their confidence in the security program.
1. Get to know your board
In the long run, you’ll want to get to know your board members, their backgrounds etc. The more you understand the board members, the better you’ll be able to communicate, engage with them and get their support. As Robert Drawer, Global Director of IS, Mayer Brown LLP suggests, CISOs should have onboarding conversations with new board members, preferably face-to-face, to share the latest board presentation and metrics. Another Council member suggests discovering board members’ preferences to consume information, as some boards like visuals and others prefer dialogue. CISOs need to create a presentation that will resonate with their board.
2. Think Context
When preparing your board presentation, always provide context relating to the bigger picture, and focus on strategic elements with relevant business-centric metrics that enable to tell a story. Create a story that shows how you have aligned security program and investments to business priorities, how your controls are effective, how your strategies, investments, and outcomes make the company secure and enable business and demonstrate how your strategic plan is aligned to a framework and a maturity model and backed up by data. For example, one of our council members from the media and entertainment industry chose a spider graph to communicate the journey towards target maturity. This enabled him to provide the board with a quick view of previous maturity, current maturity, target into this year’s roadmap and goal.
3. Fail to prepare – prepare to fail (yes, that cliché)
Among the most important tasks to complete about a week before the board presentation are:
- prepare for as many questions as possible and get as much data as you can to show that you are informed,
- be prepared to talk only about the highlights of the presentation in case the board meeting is shorter in time than planned initially,
- and review and update your presentation with other senior executives to get feedback on the data points and plan to make adjustments that will improve your message. Always have data to back you up. “Before presenting to the board, get buy-in from one person in the meeting who will support what you are presenting” – Robert A. Drawer, Global Director of IS, Mayer Brown LLP
4. Tell the story the board would like to hear
And finally, during the board presentation, tell the board the story the way they want to hear it, a story that demonstrates control effectiveness and results, with related business outcomes. The most productive board interactions happen when presentations become conversations.
This is just a peek inside one part of the research. For a complete look at the research and recommended board communication strategies, click here to read our Cyber Business Executive Research: Cyber Board Communications & Metrics or look out for part 2 of this 3-part series for a more detailed focus on the top questions.