A CISO’s guide to discussing cybersecurity with the board
With data breaches on track to reach all-time high, chief information security officers (CISOs) are on alert to find blind spots in IT infrastructures and mitigate risks to keep their organizations safe.
Recent high-profile attacks should be enough warning for companies to take action, yet a report from Deloitte shows that cybersecurity gets a little over 10% of overall IT budgets. Without the proper resources, CISOs can’t effectively protect companies from threats – but when a company is attacked, CISOs are often the first to get blamed.
To get the assets needed for CISOs to properly do their jobs, business leaders need to invest time, attention, and money in cybersecurity. Here are helpful ways that CISOs can discuss cybersecurity with their C-suite and board members.
Work your way to the table
As a newer role within organizations, CISOs may not yet be understood by leadership teams or have a seat at the executive table. Some CISOs may also be managed by other IT leaders such as a CIO and CTO, making it difficult to build trust among the rest of the C-suite and board. Even if you have a good relationship with your supervisors, some of the messaging might change as it goes through the chain of command.
It’s frustrating to not have a seat at the table, but there are other ways to be heard.
One way is to start building relationships with other members of leadership. You can try meeting one-on-one with business shareholders to share ideas, enjoy informal conversations or identify an ally.
In my own companies, I encourage these types of meetings. When team members want to run ideas by me, I’m happy to listen — regardless of their titles. If they bring in some good thoughts, I usually think them over and may follow up if the employees present compelling ideas. Building this trust may lead to me bringing these ideas to the board or even inviting the employees to present themselves.
Of course, it’s ideal to always have a seat at the table, but if that’s not possible, work your way up. Anyone can make an impact, but you must put yourself out there and build trust with your leadership.
Focus your message
When you get a chance to speak with executives, you typically don’t have much time to discuss details. And frankly, that’s not what executives are looking for, anyway. It’s important to phrase cybersecurity conversations in a way that resonates with the leaders.
Messaging starts with understanding the C-suite and boards’ priorities. Usually, they are interested in big picture initiatives, so explain why cyber investment is critical to the success of these initiatives. For example, if the CEO wants to increase total revenue by 5% in the next year, explain how they can prevent major unnecessary losses from a cyber attack with an investment in cybersecurity.
Once you know the executive team and board’s goals, look to specific members, and identify a potential ally. Has one team recently had a workplace security breach? Does one leader have a difficult time getting his or her team to understand the makings of a phishing scheme? These interests and experiences can help guide the explanation of the security solution.
Lose the tech jargon
If you’re a CISO, you’re well-versed in cybersecurity, but remember that not everyone is as involved in the subject as you are, and business leaders probably will not understand technical jargon. Conversations leading with highly technical terms are unlikely to kindle and keep a C-suite or board member’s attention.
CISOs are the translators that explain cybersecurity needs to leadership in a way they understand — through real-life examples and business metrics outlining risk. If you speak their language, executive leaders will be more willing to consider a proposal.
There’s more to being a CISO than keeping track of evolving risks and staying up to date on technological advancements. You are also an advocate for cybersecurity initiatives that protect the company, convincing executives to invest in cybersecurity. Working up to the board room might not be easy, but with clear and relevant messaging, you can be a champion for a strong cybersecurity strategy.