A CISO’s Guide to Communicating with the Board
Communicating with the Board of Directors can be one of the most difficult tasks that a Chief Information Security Officer is responsible for. Whether it’s because of differing priorities, a lack of clear information, or simple indifference, a CISO can have trouble getting the Board on the same page if he or she is not properly prepared.
Use these suggestions at your next board meeting to increase collaboration and make your reporting more effective:
Summarize Progress and Accomplishments
Like it or not, as a CISO, you must continually prove your worth to the company. Part of this is reassuring the Board that you are effectively managing the security program. This can be done in many ways:
- Create a list of current and finished projects since the last meeting and explain how they have positively impacted the company
- Summarize spending on the security program, with an emphasis on the return that will be obtained from these investments
- Quantify how the company is more secure now than in the previous meeting (e.g. vulnerabilities closed, incidents resolved, fewer alerts generated, etc.)
- Discuss future security projects which will further improve the company’s security posture
Remember to represent these accomplishments in terms of value added, money saved, threats averted, and so on, instead of simply showing a list of remediated vulnerabilities. An explanation of “Project X avoided $5 million in losses” is more effective than “Project X implemented HTTPS encryption on production data,” since the Board won’t understand the implications of that technically-explained risk.
The main takeaway here: it is important to keep your discussions brief and at a high-level, because you don’t want to lose board members’ interest with technical details. Have a small packet available with more in-depth information on each project in case they want to review it further.
Speak the Same Language as the Board
It’s important to keep your boards interest as you communicate progress and accomplishments, and you should extend that lesson to all your communications to the Board.
You already know that the Board of Directors is mainly concerned about the company’s growth, reputation, and financial health. This can create a communication rift with them since a CISO’s top problems and priorities are often not focused on these areas – after all, in their eyes, your company isn’t technically losing money by using a Windows Server 2003 environment, or not encrypting customer data, so why is this really an issue? Security professionals understand the importance of these issues, so take that understanding and translate it into terms that can be easily understood by the Board.
The easiest way to do this is to express your priorities in terms of financial or reputation impact. If you don’t get funding to upgrade your Server 2003 infrastructure, what is the likelihood that a vulnerability in that OS will lead to a data breach? If a breach happens, what will that cost the company in money, reputation, and lost trust? Will you lose your entire customer database worth $10 million, or will you suffer negative PR in the media? These are repercussions that will be clearly understood by the Board.
You can also spin your projects into money-making opportunities instead of representing them as costs that must be paid. For example, if you had enough budget to lock down your systems and achieve ISO:27001 compliance, that may convey to some of your prospective clients that your company is a secure place for their data- which could be the difference between you or one of your competitors winning that contract.
Build a Risk Heat Map
Board meetings aren’t all about asking for more budget: You also have to communicate the current state of your organization’s security risks so that the Board is properly informed. Instead of a 20-page technical document with IP addresses, system names, and something about an OWASP Top 10, give your Board an easily-digestible summary in the form a heat map.
Step 1: Draw out a matrix as pictured above, with “likelihood” and “impact” axes.
Step 2: Put your top 5/10/20 security risks to easily represent the severity of each issue.
Step 3: Have a key under the graph with your risk items labeled and numbered for the Board to reference if they want additional information.
This format helps board members have an easy, high-level understanding of your security posture, and helps you highlight particular areas of concern that may require additional resources from the Board.
Benchmark Your Company Against Peers and Competitors
One of the biggest motivators to a Board of Directors is knowing that an area of the company is lagging behind your competitors. Whether it’s financial growth, operational processes, or level of customer service, the need to be better than the competition can motivate your Board to move mountains. Capitalize on this by representing your company’s security posture as it compares to peers and competitors in your industry.
How are you supposed to know what your competition’s security is like? One of the easiest ways is to use an independent security rating company (like SecurityScoreCard) to get an unbiased look at how you stack up against your competitors.
You can quantify the data you find in a number of ways:
- Percentage of service uptime
- Number of data breaches
- Financial loss due to security incidents
- Security program spending
- Industry certifications held, and more
This can be a win-win situation whether you’re beating the competition or not: If you’re behind, the Board will be motivated to catch up, or if you’re ahead, explain how continued investment in the security program will help you maintain that edge.
With a new company in the news headlines seemingly every day for security breaches, board members are taking a closer look than ever at their company’s data protection. Ultimately, they want to be assured that security directors aren’t sitting around idly, waiting for an incident to happen before making improvements to their systems. Implementing the strategies above will give your board visibility and allow you to demonstrate to the Board how you and your teams are being proactive in protecting the organization from attackers.