With cybersecurity incidents on the rise, the chief information security officer (CISO) needs to be in direct communication with the corporate board. But there is often a vast separation between what the board understands about security and what the security department understands about business priorities.
As a result, there is a significant disconnect between the security leader’s priorities and the board’s agenda in many organizations. What’s driving this communication breakdown — and how can CISOs bridge this gap to improve cybersecurity reporting?
Communicating Across the Great Divide
A 2017 report from risk management firm Focal Point Data Risk found that board executives’ most pressing concerns often fall to the bottom of the CISOs’ agenda. For example, board members cited data protection as the aspect of security that provides the most value to the business. CISOs, on the other hand, pointed to security guidance.
Meanwhile, 42 percent of CISOs said they were confident about the effectiveness of their organization’s security program — while board directors stated the opposite. Eighty percent of executives surveyed also ranked risk posture as the most important metric for reporting security — less than 20 percent of CISOs thought the same.
Four Cybersecurity Reporting Tips for CISOs
With this disconnect hounding security leaders, how can CISOs present crucial information and communicate security’s needs and priorities to board leadership? Below are four tips security leaders should consider when prepping for their next board presentation.
1. Learn to Speak the Language of Business
“Our advice to our CISO clients is put yourself in your board executives’ shoes and talk to them in their language,” said Grant Wernick, CEO and co-founder of Insight Engines, which develops cybersecurity products using natural language understanding. “Have a business conversation that demonstrates how you and your team are not only increasing the company’s security posture, but also enabling key business priorities.”
Of course, that means the CISO must have an understanding of the organization’s key business priorities before going into the presentation. Unfortunately, that isn’t always the case for many security leaders, according to Phil Gardner, CEO of the Institute for Applied Network Security (IANS), a security consulting and research firm.
“From an informal straw poll that I’ve been conducting, I’ve learned that 60 percent of CISOs can’t articulate their CEO’s top three to five business priorities,” Gardner wrote in a recent blog post. “When you don’t know the business leaders’ priorities, making InfoSec relevant is nearly impossible. Aligning with the CEO’s business priorities forces InfoSec to work on initiatives that drive enterprise value. This, in turn, increases your clout with the board.”
2. Know the Three R’s: Reputation, Regulation and Revenue
While you are honing your business language skills, you should brush up on your topics too. According to Harry Sverdlove, chief technology officer (CTO) at cloud security provider Edgewise Networks, CISOs can get the board’s attention by focusing on the three R’s: reputation, regulation and revenue.
“Look at regulation as an opportunity,” Sverdlove said. “As security professionals, we know regulation is not security, but it raises the awareness of it so you can discuss it with the board.”
Another useful tactic is to refer to news headlines, Sverdlove said, because that will speak to the board’s concern about the potential impact of a data breach on both the organization’s reputation and its bottom line.
“No one wants to be on the front page of The New York Times,” Sverdlove said. “They are concerned about being a headline and they want to know what risks could get them there. Speak to the board on topics they understand. They understand corporate reputation.”
3. Be the Bearer of Good News
A common perception is that security is the department of doom and gloom, but surely there is some positive news to report. CISOs will need to occasionally report on the bright side of security if they want to gain the board’s respect.
“You have to be able to communicate progress,” Sverdlove said. “It’s essential to be able to say, ‘Here is our progress on the projects we’ve been proposing,’ and communicate that plainly and in business terms. In security, we like to give code names and we like to talk jargon. But the board wants to clearly hear about business impact and the customer impact of each proposal.”
It’s equally important to demonstrate an ability and willingness to challenge security conventions. Failure to do so often puts the organization at risk because the threat landscape is continually evolving and adopting new tactics to circumvent traditional security methods.
“Give the board assurance that you are thinking outside the box — not complacent with maintaining status quo,” Wernick advised. “From a security perspective, people are following standard ways of doing things — in a static and reactive approach — which increases risk. “
4. Consider Your Context
What tools and visuals are you using to present to the board? Wernick suggested conveying your results in ways that board directors are used to seeing.
“Many board discussions center around risks, and a familiar framework is a risk heat map,” Wernick said. “We suggest to our CISO clients that they demonstrate results in a similar visual fashion. For example, we worked with clients on a data health heat map that visually tells the story of use cases supported, data source coverage, et cetera. Even if the board doesn’t understand the nitty-gritty details, they will relate to the heat map visual framework.”
Gardner noted in his blog post that external standards, such as the National Institute of Standards and Technology (NIST) framework for board reporting, have grown outdated and called for new reporting methods.
“What savvy board members really want is a financial articulation of the risks being reduced through the company’s InfoSec expenditures,” Gardner wrote. “They want an InfoSec ROI [return on investment].”
Gardner advised security leaders to partner with the corporate chief financial officer (CFO) to assign values to the organization’s significant intellectual property (IP) assets and then seek support from peers and the board on these values.
“Building consensus on the values of these intangible assets will generate more meaningful conversations about where to best deploy scarce InfoSec resources,” Gardner wrote.
Security Culture Starts From the Top
Reporting to the board is one of the CISO’s most crucial responsibilities. After all, the board makes the final decisions regarding security budget, investments and initiatives.
Just as complex business principles are often nebulous to IT leaders, when it comes to cybersecurity, business executives only know what the CISO tells them. By contextualizing security needs in terms the board can easily understand, CISOs can help their organizations develop a strong security culture from the top down.