How To Effectively Communicate Cybersecurity To The Board
It has become increasingly important to have cybersecurity initiatives receive board recognition and CISOs must be able to clearly communicate those plans and goals to the board. Today’s ‘cyberscape’ is constantly evolving and with that comes threats—particularly financially motivated and data stealing attacks. With security breaches regularly making headlines in mainstream media, CEOs, Boards of Directors (BoD) and agency heads are focusing on cybersecurity and looking for answers from the CISO. Briefing the board of directors is an opportunity to proactively improve the visibility security receives and gain support for strategic security initiatives. However, it is also an opportunity to make mistakes that hurt a career. In order to take advantage of the opportunity to brief the BoD, CISOs need to understand the expectations board members have when they hear from any C-level corporate executive. Some CISOs may feel a sense of disconnect with their board of directors and must learn to effectively communicate cybersecurity to them in a way that is not overly technical. CISOs should have regular dialogue with the board and be prepared to have a part in almost every board meeting. However, communicating to the board is more of an art than it is science. Effective communications to the board requires both meaningful data and a communications approach and style that work to actually influence BoD member's discussions and recommendations and to drive the change necessary to make advances in corporate cybersecurity.
For smaller organizations, that don’t have a board of directors, there should be at least a committee or council made up of the people who manage the different functions of the organization that the CISO can approach. A CISO must go into the board with a business head — it’s about 70% listening and 30% suggesting a solution. The most valuable things you can give board members is honesty, expertise, respect for their time, and clarity about what you want. Most board members will be prepared as soon you enter the room and will have read the read-ahead before the meeting. Board members are time constrained and the CISO is just one thing on the agenda. It is recommended to begin with the BLUF – Bottom Line Up Front. Don’t just tell a story or walk board member through PowerPoint slides, give context and demonstrate how it relates to what’s happening in the industry.
CISOs must be engaged and be engaging while also conveying the basics of presentation delivery, such as having good eye contact and being articulate about things that are important to the business. Don’t use jargon and don’t read slides or a script off of an iPhone. When speaking with the board don’t present. The meeting should be a conversation not a presentation. Remember to monitor your cadence, slow down if talking fast. If you must use a PowerPoint, add visuals that add to the understanding and the least amount of cognitive load. A CISO must look at the data and see what the data tells. This method is a much more honest way of going about it than cherry picking data that supports some narrative. Anticipate questions the board is going to ask and incorporate them into the presentation. If you are addressing the board in a group, know who will answer what. The more relaxed you are, the more you can convey how to help them solve a business problem. Lastly, don't forget to enjoy yourself and stay positive about your discussion. This is your moment to shine!
