Almost everyone agrees that active board engagement is essential to driving cyber transformation. Inside boardrooms, however, there is still a significant amount of justified frustration. Most corporate directors still find cybersecurity very complex and inaccessible; they feel like passengers on a runaway train that the driver can neither control nor stop.
A paper published by the Harvard Law School Forum echoed this sentiment. One of the responding corporate directors lamented, “Boards are illiterate about cybersecurity and the company’s reliance on information technology. But enterprise access to the internet is fundamental to delivering value, and all those transactions that rely on access to the internet are inherently unsafe. That’s not true of any other aspect of risk that boards deal with.”
A subset of CISOs argues that boards and corporate directors should proactively pursue cybersecurity education to close the gap. Based on my experience on the frontlines and collaborating with members of the Cyber Leadership Institute community, the fastest way to address this critical matter is for CISOs to raise their storytelling game, move away from numbing cybersecurity vocabulary, and learn to communicate cyber risk with clarity, brevity, and humanity. Here are my top ten tips CISOs can deploy to uplift their board reports.
- Leave negativity to doomsayers and weather reporters. Fearmongering or playing the victim projects a tone of weakness and harms your credibility. Instead, give the board assurance that you have uncovered all the blind spots and established a high-impact program to fast-track remediation.
- Resist the ever-lingering temptation to filter the bad news. If your capabilities are below the industry average, your program is underfunded, or key initiatives at risk, then say it. Courage and transparency are the hallmarks of leading CISOs. Sugar-coating high-rated risks is a terrible mistake that often comes back to bite at breathtaking speed.
- To maximize the limited board attention, stay focused on crown jewels — high-value systems that underpin strategic business lines and competitive advantage, e.g. core applications, intellectual property or market-sensitive information.
- Refrain from reporting on vain metrics, which only arouse emotions but don’t drive any meaningful change. For example, telling the board that you responded to 3000 alerts during the last quarter raises more questions: How many of these were false positives? How well have we tuned our monitoring systems? The game changes, however, when you tell the board that 20% of your core applications, which support 80% of your revenue lines ($3.2 billion), do not have any offline backup — a debilitating ransomware attack will leave the business with no recourse.
- A survey conducted by ICSA: The Governance Institute and Board Intelligence found that 20% of board packs are usually longer than 250 pages, with 1% over 800 pages. So, it’s vitally important for the CISO to avoid the fluff and get straight to the point. Writing with brevity means patiently working through several drafts, pruning clutter, and stripping every sentence to its cleanest form.
- Emphasize the WHY by rigorously tying key risks and cybersecurity transformation programs to strategic goals and corporate values. To achieve that level of clarity, the CISO must understand the business value chain, replace vague ideas with concrete details, and express them in the business language: Money.
- Excessive technical lingo (zero-trust, zero-days, APTs, CVEs) can make cyber leaders feel educated, but it repels business stakeholders. To avoid this common trap, get your drafts peer-reviewed. We are too close to our creations to spot their flaws. If a fellow executive doesn’t understand something, then rewrite it because it’s likely that some board members will be left confused.
- Avoid information overload but be careful not to oversimplify; corporate directors are competent. By now, most of them know the main threat actors and their motives. Also, stay away from overused cliches like “It’s no longer a matter of if, but when we will be hacked”, as this can sound patronizing and does very little to advance your agenda.
- Use clear and concise commentary to explain any critical risks outside of appetite: What are the likely business impacts, risk drivers, mitigating controls, and most importantly, what you are doing to reduce the material risk to acceptable levels.
- Always anticipate board questions and concerns. Remember, most directors sit on multiple boards, so they are likely to ask about concerns raised elsewhere. Questions that come to mind include: Were we impacted by the recently announced breach or vulnerability? Are we investing enough in cybersecurity? Has our control environment been independently validated? How robust are our controls against ransomware?
For too long, cybersecurity professionals have advocated for more significant business visibility and influence. But they also need to play their part, particularly by articulating this crucial business risk in ways non-IT business leaders find relatable and understandable.
By the way, did you know we have a freely downloadable CISO Playbook that discusses risk reporting in more detail? CISO Playbook: Developing lean, efficient and effective cyber governance structures. https://cyberleadershipinstitute.com/ciso-playbook-cyber-resilience-governance/
Also, check out our premium Cyber Leadership Program that helps cybersecurity professionals accelerate their path to the CISO role and excel at the highest levels. https://cyberleadershipinstitute.com/leadershipprogram-video/