As cyber threats and attacks continue to evolve, so have the role of CISOs – including how they communicate and report to the board of directors. Beyond reporting an organization’s security posture, CISOs are increasingly responsible for aligning security initiatives with business objectives. With new and emerging regulations like the recent SEC disclosure rules, boards are turning to CISOs to ensure their assets are protected, the organization’s security posture is strong, and they’re in compliance.
Building an impactful and positive relationship with the board can lead to improved collaboration that drives cybersecurity initiatives, funding, and improved business decision-making.
In this blog, we’ll explore tactics for CISOs to effectively create trust and rapport with the board of directors.
1. Determine what the board wants from you as a security leader
Depending on the unique objectives of the board, the needs from the CISO or security leader may not be obvious. So, don’t be afraid to ask for specifics. While some boards may only seek information to ensure that the company is protected, others may want to understand how the organization compares to competitors, data on IT and security ROI, or more.
To kick start conversations with the board to align on initiatives, consider asking questions like:
- What are your biggest cybersecurity challenges and priorities? How do they impact your overall decision-making and strategies?
- What cybersecurity data or information best supports your decision-making?
- How can I ensure my cybersecurity initiatives are aligned with your obligations to the company?
Directly asking what the board needs and how you can best support their obligations to the company will help you build trust much faster than guessing and getting it wrong.
2. Understand the type of board you’re reporting to
Each board’s level of involvement and workflow will be unique to the organization they govern. While it may seem like providing every metric or measurement is essential to gaining the board’s attention or trust, taking a step back to understand the dynamics of the board you’re working with can save time and amplify your reporting.
Some may not need the technical details of the security program and others may. That’s why it’s important to identify their needs to accurately provide the information they’re looking for.
When reporting metrics to board members, avoid those without a clear purpose or that are too technical. Instead, focus on metrics that align with their priorities, and provide insights they can use to make strategic and informed decisions. Consider measurements that resonate with your particular board of directors, provide valuable insights, and align closely with your organization’s goals and objectives. A few may include:
- Metrics that indicate a high-risk organization: If you’re trying to signal security weakness in your organization, pull metrics that identify security gaps. For example, show the number of cloud instances and accounts that don’t adhere to industry frameworks and benchmarks like CIS Top 18 and Cloud Benchmarks.
- Reduced business risk: To demonstrate improvements in security posture, identify metrics that prove a reduction in overall risk. These can range from information like mean time to detection or mean time to remediation, which can be helpful for board members to understand your program’s impact.
- Market growth and expansion: Connect your security initiatives to business growth objectives by selecting metrics that highlight the role of cybersecurity in market growth and expansion. Consider measuring the successful launch of new services in specific regions or track the security requirements that help secure partnerships and contracts.
3. Understand how you can achieve the board’s objectives and trust
Building trust can take time with one person, let alone a whole group of people. So, how do you begin?
Start by assuring the board that you’re proceeding to meet their objectives with accurate information. As you pull data for board-level reports, ask yourself, “Why does this metric matter? How does it contribute to the organization’s success?”
Using the right tools can help you gather reliable data that is complete, unbiased, up-to-date, and derived from multiple data sources.
But, that’s only one step of the process. The other? Knowing when the fine details matter, and when they don’t. For example, dashboards may help to quickly communicate complex information quickly – particularly useful for succinct reporting. Other times, boards may need detailed data to understand overall security posture or security incident analysis.
Building trust and support starts with being reliable. When the board can trust your reporting, buy-in for future security initiatives is met with much less resistance.
4. Be clear and concise in your reporting
Cybersecurity terminology can be nuanced. For example, do your executives understand the difference between a security “incident” and a security “event”? Though you and your team may know, your board of directors may have a different understanding of each.
Defining terms and their differences can help you set up a clear framework for communicating with the board, disclosing information to security or privacy regulators, or even within customer contracts.
5. Set the tone for security through education
Setting the tone for security throughout the organization is up to the CISO – and it shouldn’t be any different in the boardroom.
Continual advising and education can inspire a robust cybersecurity culture across the board of directors. A few ways to strengthen cybersecurity culture include:
- Communicate policies: As mentioned above, start with ensuring security protocols are clearly defined – including in corporate policies. This can help board members understand your organization’s security principles from the start.
- Be realistic: When discussing goals with the board, being unrealistic can create a sense of apathy. Goals should include providing an accurate understanding of your organization’s current risk, clear and defined steps to mitigate risks, and which systems are in place when things don’t go as planned.
- Be transparent: Transparency builds rapport and can help board members and other stakeholders understand protocols, or the significance of security posture, a security incident, or a security breach.
Building a strong relationship with the board of directors is critical to ensuring organizational trust, improving collaboration efforts, and increasing support for future security initiatives and funding.
While boards are increasingly paying more attention to CISOs to understand the organization’s security posture and risk, it doesn’t have to be intimidating. Understanding who your audience is and how to communicate with them can help create a long-lasting and positive relationship.