CISOs can drive the security discussion in the board room
Cyber security is increasingly becoming a top business concern for executives. A recent survey from The Conference Board found that US CEO’s rank cyber security as their top external concern for 2019. However, at a board level, security discussions with the CISO are relatively rare. Without this critical interaction, it can be challenging for a CISO to drive security strategy. Luckily, there are some steps security professionals can take to earn a spot at the table with the board.
Why aren’t CISOs being invited to the discussion?
Numerous challenges stand in the way of a CISO getting in front of the board of directors. From reporting structure, to stereotypes about a CISO’s qualifications, security executives have many barriers to overcome. Understanding the challenges enables development of strategies to overcome them.
Organizational reporting structure
In most organizational reporting structures, the CISO reports to another executive below the CEO. As a result, organizations commonly view the CISO’s duties as a subset of another officer’s role. The board typically calls upon the higher ranking executive, commonly the CIO, COO, or CRO, if and when the discussion of security reaches the board room.
Perception of the CISO
A connotation that CISOs are too technical also plagues their ability to win a spot in the discussion. Developing a security strategy requires a significant level of technical knowledge. Indeed, CISOs sometimes struggle with presenting security strategy in terms that resonate with the board. Overcoming the stereotype of too technical for the board room challenges even the strongest CISO.
Security is scary
Despite the increased focus on security, all too often the board avoids topics of security. The complexities and uncertainty of cyber security makes it an untenable discussion point. Sure, directors want to keep the organization’s name out of the headlines. But at the same time, some treat cyber security like a toothache. Rather than go to the dentist, try to avoid even thinking about it. However, the problem doesn’t simply go away. Just like that tooth, ignoring it only makes things worse.
Earning a spot at the big table
Security leaders need to change the perception of the CISO role and make cyber security a regular topic for the board. This begins with establishing a level of credibility with higher ranking executives and the board. While this process takes time, establishing a solid report with the board ensures they’ll seek out the CISOs perspective.
Forget FUD, focus on the business
CISOs commonly make the mistake of presenting security in terms of Fear, Uncertainty, and Doubt (FUD). They share perspectives on the horrible things that could happen. However, playing off the fears of others does not motivate them to action, it causes them to avoid the conversation.
Instead, security leaders need to focus on how security strategy can improve existing business or enable new lines of business. For instance, demonstrating how an investment in Cloud Access Broker technology creates the ability to offer new cloud-based services, delivers a very compelling story line. Additionally, it demonstrates an understanding of the business beyond simply the technology.
Be prepared for the right questions
Responding with solid, tangible answers establishes expertise and confidence. In order to do so requires an understanding of how board members look at the business. Ultimately, when it comes to security, the board wants to know that appropriate measures are being taking to manage threats to the business.
Directors ask questions along the lines of “Could we get hacked today?” or “What would the impact be if we get hacked?” Answering these requires reading between the lines to understand what information they’re asking for. Fundamentally, they’re trying to assess risk and ensure that something is being done to address it. So share tangible efforts and programs that are in place, but do so in the context of critical business functions. Avoid talking about the latest technology you deployed, but instead describe the resiliance of business processes to recent publicized attacks.
Establish Visibility
Regular communication with the board can start without attendance at the meetings. CISOs should work with their top-level executives to establish a reporting cadence the with the board. A proactive approach, allows the CISO to shape the security strategy message and demonstrates competence and expertise. Furthermore, the regular cadence establishes visibility that builds a bridge into the board room over time. Ultimately, putting more security focused data in the hands of board members builds demand for further security discussion.
While it can be challenging, CISOs can drive the security discussion all the way up to the board of directors. Taking time to understand the board and their perspectives allows the CISO to exhibit their expertise and build confidence. Ultimately, as the board hears more from a competent CISO, their trust grows and their desire for interaction leads to a spot for the CISO at the big table.