Cybersecurity: Communicating Effectively with Your Board

Communicating with boards of directors on cybersecurity issues presents several challenges, not the least of which is the fact that only 5% of company boards have a cybersecurity expert on them.  But perhaps the biggest challenge is sorting out the signal from the noise – i.e., determining what information boards need to hear about cybersecurity issues without overburdening them with technical information.  A recent CSO Online article provides some advice to CISOs about how to communicate effectively with their boards.  This excerpt says that CISOs need to focus on strategic issues, not merely metrics:

Paul Connelly, former CISO turned board advisor, independent director and mentor, finds many CISOs focus too heavily on metrics while the board is looking for more strategic insights. The board doesn’t need to know the results of your phishing test, says Connelly. Boards are focused on risks the organization faces, strategies to address these risks, progress updates, obstacles to success, and whether they’re tackling the right things.

“I coach CISOs to study their board — read their bios, understand their background, and understand the fiduciary responsibility of a board,” he says. The goal is to understand the make-up of the board and their priorities and channel their metrics into risk and threat analysis for the business.

Using this information, CISOs can develop a story about their program aligned with the business. “That high-level story — supported by measurements — is what boards want to hear, not a bunch of metrics on malicious emails and critical patches or scary Chicken Little-type of threats,” Connelly tells CSO.

The article also points out that there is often a disconnect between a CISO’s priorities and those of the directors.   CISOs prioritize technical expertise and depth of knowledge, while boards prioritize communication skills and business acumen.  In order to bridge this gap, the article urges CISOs to use resources such as media reports to illustrate how security incidents can be linked to security controls, how the company’s cybersecurity budget is being used and how those expenditures impact the company’s risk level and response times if faced with a similar threat.