Five Best Practices For CISOs When Speaking To The Board

Over the past decade, the topic of cybersecurity has propelled its way up the board’s agenda to claim a top spot of concern and focus. Catalyzed by an exponential growth in cybercrime and rapid digital transformation, cybersecurity is no longer viewed as an “IT problem” but as a business-critical issue.

A slew of high-profile cyberattacks, more stringent regulations and the potentially massive financial and reputational damage of a breach is driving this urgency to strengthen cyber resilience. Organizations are expected and obligated to take reasonable action to secure their digital ecosystem. This growing awareness means the board wants to talk about security, risk and risk reduction, resilience, bottom-line savings and top-line growth in relation to security.

This willingness gives CISOs the opportunity to help senior business leaders better understand the value of cybersecurity from numerous angles to encourage buy-in. However, communicating this value in the right way can often be challenging and lead to confusion, disillusionment, inconsistency in policy and a lack of cohesion, which ultimately will undermine the organization’s cyber posture.

So, where do CISOs go wrong? How do you communicate effectively to the board? Here are my five best practices for speaking to the board about cybersecurity issues.

1. Avoid using overly technical jargon

When talking to the board, CISOs should carefully consider who their audience is and the language they use. CISOs will quickly lose their audience if they overuse technical jargon or obscure acronyms that few outside of the cybersecurity industry would understand.

The board is rarely composed of cyber experts, so it’s more productive if CISOs take time to translate the more technical aspects of their presentation into business language to make it more relevant and engaging.

To cut down on verbose language, CISOs should also leverage visualization as a tool to convey complex messages or to help elucidate a point using fewer words. CISOs need to be succinct, use a sensible pace and continuously read the room to see if their audience is engaged.

2. Use metrics that are meaningful

Data without context is meaningless and won’t help get buy-in from the board. When sharing data with the board, CISOs need to add a layer of context and pick the data points that impact the organization’s security priorities.

Center your metrics around the business criticality of affected assets. Boards want to know how your decisions as a CISO benefit the organization, support objectives and impact the cost. Once you have your key metrics, you must translate this data into business language so that it will be impactful, memorable and resonate with the board.

3. Don’t use fear, uncertainty and doubt as a weapon

CISOs should avoid leveraging fear, uncertainty and doubt (FUD) to drive a point home or to get the board on their side. Leveraging FUD as a weapon can give the impression that the CISO is more of a hindrance than a help or that they are prioritizing security at the expense of the business’s growth.

This negative perception of security as the “office of no” or “scaremongers” can act as a communication barrier. Instead, a more positive approach is to provide an overview of the problem, identify the root cause and to offer solutions and recommendations to remedy the issue, along with an outline of the associated benefits.

By acting more like an impartial risk advisor, the CISO can help business leaders understand the risk and determine risk tolerance so that more informed decisions are made.

4. Present security as a business enabler, not a cost center

Often when CISOs approach the board, they’re hoping to make a case to secure more resources or acquire additional budget. However, by presenting a lengthy list of security technical needs as a case for investment, they perpetuate the perception that security is a cost center rather than a business enabler.

With the backdrop of a recession, tightening budgets and pricing pressures, board members are more likely to shut down from the conversation if they cannot see the ROI from security investment. To demonstrate the value of security, use metrics CISOs that demonstrate that security is a revenue driver. A few ways to do so are to:

• Explain how customer contracts can be differentiated by driving value from security.

• Demonstrate what revenue would be based on removing a threat.

• Show what the organizations would recover in lost revenue by implementing your suggested control.

5 . Talk to board members beyond board meetings

Understanding your audience is key, which is why it’s vital that CISOs invest in relationships with board members outside of the boardroom. Understanding the other person’s communication style, personal and professional motivators and area of expertise will help a CISO land their message more effectively.

Having a strong rapport with board members outside of a formal channel can provide invaluable insights and context that will help a CISO to craft a message that is suitable and relatable to their target audience, which is then more likely to resonate and achieve its goal.

Finding boardroom allies is vital, particularly those non-technical ones, who can act as a sounding board and help you find the weaknesses in your presentation ahead of a board meeting.