Effective Board Communication for CISOs
Know Your Board
If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision, and decisions. If you know your Board, you can tailor your message to your audience and avoid some potential surprises.
Begin by asking yourself, who are the members of your Board? What are their skills, strengths, and particular areas of interest or concern? Learn their priorities and objectives, because what matters to each will likely matter to the Board at large, and what matters to your Board is the purest definition of what matters to your organization.
There are other considerations. If Board members sit on the Boards of other organizations, how might those relationships connect to your organization? Are they specialists in a particular vertical or sector? Do they operate in a specific function or department like Finance, IT, or Operations? If they don’t sit on other Boards, they may participate in another organization’s executive council and, in fact, that may be the key reason they’ve been chosen for your organization’s Board. Research your Board members as much as you can. The more you know, the more comfortable you’ll be communicating with them.
It may not be important to know whether any Board members have cyber security knowledge or experience. Certainly, anyone in a leadership position of any kind has learned a great deal by now about cyber security. Organizations talk to and learn from other organizations about their pain points and, maybe, their cyber incidents, too. Still, it’s possible that one or more of your Board members will have formal cyber security knowledge. Maybe they’ve served in technology-related roles or in a technology organization. Maybe their personal interests lie in technical things, which has its pros and cons. As the cliché goes, knowledge can be a two-edged sword, and a little knowledge may be more problematic than no knowledge at all. Be prepared to face that possibility.
Begin by asking yourself, who are the members of your Board?
You should also understand the composition of your Board. How is it organized? Is the chair an independent director whose only association with the organization is their Board membership, or are they an employee of the organization, for example the CEO? The Board likely has organized itself according to organizational domains: Finance, Governance, and Compensation are typical committees of most Boards. Others – and the most important ones for a CISO, are the Risk and Audit committees. Some Boards in fact have established a Risk and Audit subcommittee dedicated to cyber security. Regardless of where cyber security sits as a constituent domain among the organization’s Board committees, it is probable that cyber security oversight has been assigned to some Board function or one or more Board members. Given your role as a CISO and the potential risk posed by cyber threats to your organization, this level of interest and engagement is likely beneficial for your mission.
Understand Your Board’s Priorities
Your Board is focused on key elements that can guide the success of the organization or address any failures or weaknesses. Paramount for most Boards are the focus areas of organizational reputation, ethics and integrity, and regulatory compliance. All Boards are, by definition, strategic. That is, they focus on the big picture. They plan for the future of the organization. They care about whether the organization is executing to meet its business objectives. They care about whether the organization is measuring its performance and understand the ways in which salient and useful measurements can inform organizational strategy.
Boards also care about how well your organization’s performance and priorities compare with similar organizations. Benchmarking is always a useful activity for CISOs, and Boards often lean on benchmarking as a way to measure an organization’s plans and performance.
Communicate To Your Board With Purpose
You may or may not engage directly with your Board. If you believe that you have an issue or information that should be raised to the Board, bring it to your manager and, either directly or indirectly, to your CEO. Your CEO will decide what should or should not be presented to the Board. You will speak with your Board only with your CEO’s approval. Attempting to bypass your management team or CEO to speak directly with the whole Board or individual Board members is never a good idea, no matter how pressing the issue. Avoid pulling an alarm and demanding to be heard by your Board. The collateral damage to your mission – and your reputation in the organization – may become irreparable. Your Board worries about a lot of issues, and cyber security issues are just a subset. Work within the established system, and raise concerns within that framework.
If you’re asked to speak with your Board, it’s likely they are interested in something very specific – an update about some cyber incident, or your organization’s relative resilience for a recently publicized cyber incident at another organization. Or, they may be interested in a general status update about the organization’s cyber security projects and programs. They won’t necessarily be interested in what you believe is important, but they will probably be eager to learn what they should believe is important.
Tell them everything you think they need to know.
If you do address your Board, or a subcommittee of it, tell them everything you think they need to know. Inform them, teach them, enrich them, and guide them. Tell them about your current major cyber security projects and your future initiatives. Tell them about your risk assessments and current risk posture. Tell them about the maturity of your cyber security program and how your program stacks up in benchmarking exercises. Tell them how your cyber security program may provide value drivers or other business advantages. Tell them all of this if time permits. You’ll have about 10 minutes. Expect interruptions.
Your Board may ask about any number of things. For example,
- Have we had any incidents?
- Are we executing to plan?
- What are our risks?
- How do we compare with our peers?
- How are we addressing third parties and supply chain cyber risk?
- How does our cyber security program integrate with and support organizational IT and OT initiatives, for example digital transformation or operational excellence?
Never surprise your leadership with some topic or issue that the Chair or your CEO is unaware of.
Always begin by prepping your Board’s Chair or CEO. Provide pre-reads. Never surprise your leadership with some topic or issue that the Chair or your CEO is unaware of. Although it’s uncommon, some Board members may request side conversations, but these conversations should never happen unless the Chair or CEO knows about the request and has approved your participation in advance.
Your Board’s role is in cyber security can be pivotal. Boards and Senior Management set the tone for a quality cyber security program. Top-down leadership is essential. Yes, user behavior is crucial to any cyber security program and you need bottom-up participation, but your mission is defined at the most senior levels of your organization.
Tell Your Board What They Need To Know
If your organization is a public company, the Board may have a keen interest in the same information the SEC requires from all public organizations in their public filings. They will be interested in key risk factors rather than the detail behind your vulnerability management or detection and response programs. They will only want to hear about your base hygiene expectations if your organization’s current state significantly varies from plan in ways that could have serious risk implications.
In any communication with your Board, be consistent in expressing and explaining the long view, the strategic perspective, and not just any particular point in time – even if that time is dramatically impacted by a current event. For example, some organizations during COVID have increased their cyber security diligence to pay extra attention to remote work and online collaboration tools. Other organizations have slowed or paused some cyber security programs due to cash constraints or other impacting factors. These are snapshots of your current cybersecurity program. What are the long-term implications, if any? Remember: a cyber security program isn’t just about good defense; it is more about an organization’s abilities to be cyber resilient, its capability to sustain through and withstand the most severe impacts of any storm.
In any communication with your Board, be consistent in expressing and explaining the long view, the strategic perspective, and not just any particular point in time.
Overall, your Board needs to know whether or not your organization is cyber secure? Does your program identify risk, measure it by likelihood and impact, and make smart decisions about spend, effort, and focus? Does it have a program for continuous improvement and enhancement? Does it understand what it means to be compliant with regulatory regimes? These are not difficult questions for a CISO to answer, but it takes tact and care to answer them in ways your Board will understand, appreciate, and accept. Express yourself with clarity, cogence, and confidence to instill trust among leadership that you are doing the right things in the right ways. You, your Board, and your organization will be better for it.
Previously, we discussed the requirements of a mature data classification program. In this post, we are going to review the administrative mechanics of such a program. Data classification, you’ll recall, usually includes a three- or four-layer system akin to the...
Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...
Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...
Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...
I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...
Data classification can help secure your data for compliance and company policy. But where should you even begin in the classification process? To start, let’s go through the main data classification types. The four main classifications for data are: restricted...
Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...
Understanding what to do when you have EOL software becomes crucial to the security of your organization. So, what happens when your system reaches EOL? When software reaches EOL, it means that program will no longer be supported by the developer and there will be no...
I’m sitting at a table in one of the offices of my private security firm in a tense, but now familiar, setting. No matter who the client is, there’s always a strange energy when extremely wealthy and powerful people are asking you to accomplish the seemingly...