A CISO's Guide to Effective Communication with the Board

One of the challenging parts of being a cybersecurity leader is communicating technical concepts in a manner that non-technical leaders, boards and C-suite personnel can understand. Focus too much on the metrics that lack context and you will likely get silence or a barrage of questions. If you use technical language, vocabulary or acronyms, you will likely spend the entire presentation answering the question, “What does that mean?” If you miss tying risks to essential functions or business objectives, you will likely walk out of the meeting with potential left on the table.

In an era in which people are growing numb to hearing the “doom and gloom” of cyberattacks, yet public companies are required to file an 8-K for “material cybersecurity incidents” within four days, security leaders are challenged with balancing accurate and timely communications.

Consider these points as you prepare for your next board presentation.

Your Board Is Getting Information on Cybersecurity, but Is It Coming From You?

In the age of social media and push alerts on phones, developments in the cybersecurity space or details of the latest breach cannot wait until your next standing periodic board meeting. As the cybersecurity “expert”, it falls to the CISO to know what the board needs to know and when they need to know it. It may start with educating the board on how the latest headline-worthy breach or vulnerability impacts your organization and what steps management is taking or needs to take to mitigate the risk. Perhaps it can evolve to working with the board to build a protocol for what constitutes an immediate notification security event for an off-cycle meeting.

Operational Metrics Can Be Helpful When They Give the Full Picture, but Are They Lacking Context?

Technical people love dashboards. The visualization makes oceans of data easily digestible to help management make informed decisions or see how the organization is meeting defined requirements. But interpreting those metrics often requires context of the technology landscape that someone looking in from the outside may not have. In general, operational metrics should only be presented to the board when they are necessary to discuss a strategic decision. They should also include sufficient context to stand on their own when you leave the room. Here are some scenarios to consider when including metrics in your next board presentation:

• “Our security tool blocked 40,000 attacks last month.” What did the security tool not block? How do we know we blocked the right things?
• “We’re following best practices, and we are better than 68% of our peers.” Whose best practices? How many practices are we following? All of them or a subset? Does benchmarking yourself against peers even matter for your organization? If your peers get ‘hacked’ does your score improve or do you just not look as bad?
• “We had no findings on our annual penetration tests, security audit or third-party audit.” Was the assessment scoped appropriately? Did it include everything or just a subset of systems? Does that align with expectations?
• “Delivered security awareness training to 85% of employees.” What about the other 15%? Did user behavior change because of the training? Are our riskiest, high-value people included?

Tying Everything to a Business Objective Can Garner Support, but Is Everyone Aligned on Those Objectives?

A cybersecurity program that lacks organizational context is doomed to fail. The board speaks in terms of strategic initiatives, business objectives and mission essential functions. When management and the board are not aligned on what those are, the result can be an underfunded cybersecurity program or one that does not enable the business to achieve its objectives. Clearly demonstrating how the program enables the goals of the organization will help you focus your resources and make your requests to the board more fruitful.

In addition to the above, there are a myriad of other resources that can help you hone your message to the board. Here are just a few:

• National Association of Corporate Directors (NACD)
  • Director’s Handbook on Cyber-Risk Oversight
• Internet Security Alliance
  • The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask
• CSO Online
  • 12 tips for effectively presenting cybersecurity to the board
• MITRE ATT&CK®
• MITRE D3FEND®
• Cybersecurity & Infrastructure Security Agency (CISA)

If you need support in addressing these or other areas, please contact us. Weaver’s team of professionals is ready to partner with you on your cyber risk, strategy and compliance journey.

©2023