By Ori Arbel, CTO, CYREBRO
Nobody likes to be misunderstood, least of all C-level executives who play a key role in strategic decision-making in enterprises. Yet CISOs frequently find themselves frustrated in their interface with company boards. They’re feeling misunderstood and looking for ways out of the maze of confusion that surrounds cybersecurity budgets and operations.
Basically, they’re having trouble getting their board on-board with their cybersecurity programs.
The root of the challenge is that cybersecurity is by nature both highly strategic and closely linked to business goals (something board members understand very well) and highly technical and dependent on an in-depth understanding of the threat landscape and company security posture (something board members are less comfortable with).
So how can CISOs bridge this gap? What is it that board members need to understand better about cybersecurity, and how can CISOs more effectively communicate these messages? We’ve gathered eight of the top board communication tips from CISOs like you…
Eight Tips for the Perplexed CISO
- Use your (business) words – CISOs come from tech, speak tech, breathe tech and live tech. But the nature of the CISO role demands a foot in both the business and technical worlds. Be the universal translator between these worlds. Explain risks and their potential impacts – on reputation, revenue, and compliance – in framing and language that your board can understand. You know that every technical metric aligns with a business goal – make sure they know it, too.
- Make it an organizational thing, not a security thing – Make it clear that cybersecurity isn’t an IT or network problem. It’s an organizational problem. Risk happens owing to both technical and human shortcomings. This means that board members need to understand that creating a cybersecurity-aware organizational culture is as important (if not more) than acquiring an arsenal of tools.
- Show that security is not simply an expense – Especially in challenging economic times, it’s important to show boards hard numbers are not just about how cybersecurity prevents losses. The financial impact of a security incident can also be directly traced to measuring the ROI for cybersecurity investments.
- Rationalize your stack – Security stacks are high-touch and pricey. Make sure you can demonstrate your position as a fiscally-responsible member of the C-suite by adopting a data-driven, performance-centric and budget-conscious approach to security posture management – without compromising on your ability to defend organizational assets, of course.
- Explain risk but don’t go FUD – Explain your organization’s specific risks, but resist the temptation to preach FUD (Fear, Uncertainty, Doubt) – everybody knows the nightmare scenarios. Instead, stress the specific potential impacts of specific risks in the event of an incident – reputational, loss of business, regulatory fines, and downtime. Each breach or ransomware attack has a price tag – explain a few of these in depth to your board.
- Tie budget to risk – Sometimes, you have to go to the board for budget. When this time comes, explain how it’s going to help reduce or minimize specific risks. Specify how the risk the budget is supposed to mitigate could impact the organization in case of an incident, how exactly the budget will be used to mitigate each risk, and how you’ll measure the ROI of the assets the budget is funding.
- Ask them questions – In any situation, talking with people is better than talking at them. Ask your board to play a role in defining what your company’s most important assets are, and how their protection should be prioritized. Together, discuss the risk factor for each asset in the event they’re compromised. Ask them whether they feel the cybersecurity investment is sufficient given the organizational risks you delineated together.
- Have a field day – Conduct yearly or even biannual tabletop exercises for board members. Let them feel and experience the organizational impact of a breach. Ask them what they think their role should be when/if there’s a major security incident.
The Bottom Line
Getting the board on board with your cybersecurity program is crucial to being an effective organizational security leader. It’s no small challenge. Yet taking the time to understand who your board members are, how they think, and how they perceive value – along with sharing a slice of your world in a way they can digest – you’ll find the rocky path to gaining your board’s alignment that much smoother.
About the Author
Ori is CYREBRO’s CTO, coming from a strong technical cybersecurity background, specifically with years’ operating and managing global monitoring and investigation teams. He brings in-depth working knowledge with cutting edge cybersecurity platforms and innovative technologies. Ori can be reached online at LinkedIn and at CYREBRO’s website http://www.cyrebro.io.
March 27, 2023