If you’re an information security executive tasked with reporting to the board, you should know your audience—and your audience probably a) thinks there’s a quick fix to your security problems, b) has forgotten whatever you told them in your last meeting and c) wishes you’d stop talking about patches and start talking about business options and business impact.
That’s some of the wisdom from “What CISOs Need to Tell the Board about Cyber and Technology Risk”, a session at the recent FAIR Conference 2017, led by a panel of veterans of CISO/board meetings. ( RiskLens is the Technical Advisor and a sponsor of the conference.)
On the panel:
- Wade Baker, founder of Cyentia Institute and adjunct professor at Virginia Tech, author of the Cyber Balance Sheet survey on CISO-Board communication.
- Yong-Gon Chon, CEO of Focal Point Data Risk
- Austin Adams, Board Member, KeyCorp, CommScope, and former CIO, J.P. Morgan
- Christopher Porter, CISO, Fannie Mae
- Kim Jones, Professor, Arizona State University, former CSO, Vantiv
Here are some of the tips from the panelists:
Speak in business terms
“By and large, CISOs are reporting security-related things to the board…When you ask boards what would they want to see, they want more business-oriented things…Things that increase your confidence as a security leader [like knowing you are 100% patched] are not necessarily the things that increase the confidence of the board.”
--Wade Baker
“I brief the board on here’s how I’m supporting your top 5 business objectives… If you’re not relating what you are doing to what the business is trying to do, you are not a security solution, you are a business problem.”
--Kim Jones
Keep it simple, stupid
“Let me give you the best tip I ever got on communication to the board [from Jamie Dimon, Chairman and CEO of JPMorgan Chase & Co.]: ‘I want you to make presentations to the board like you were talking to your mother…If I hear any word that’s anything other than your mother would understand, you’re in trouble’.”
--Austin Adams
“Small words, big fonts, lots of pictures usually works.”
--Kim Jones
Set realistic expectations
“We tend to get 'are we secure?' from boards of directors. Are your doors open for business? Then you’re not secure. So let’s start from that point. Now, if there are specific events that you are worried about, I can do something to reduce the probability of that occurring.”
--Kim Jones
“I’ve had interesting conversations around ‘When are you going to be done?’ Some of our board members are thinking about this in terms of project investments, and once the project was completed we were going to be done with cybersecurity and in that secure state. I had to describe that this is a process, that there are constantly new vulnerabilities coming out, and it’s going to be something that we are doing until the company closes its doors.”
--Christopher Porter
Move the focus beyond security incidents
“If you communicate about breach prevention, it’s the fastest way to lose a corporate director because you’ve now made something binary vs. looking from the position of ‘how is the business resilient’? What’s going to increase their confidence is not whether you prevented a breach, it’s when it does happen, you give the board member the ability to say ‘so what?. What actually happened?’ That’s what they want.”
--Yong-Gon Chon
Don’t assume any cyber knowledge
“These are people who may know about manufacturing, about sales. What percentage of the directors have any idea what cyber is about? As you work with the board, I encourage you to put it in the context of these people being pretty scared. They have director's and officer’s liability insurance so they likely are not going to lose their house but the point is, with reputational risk and all that, no informed person believes it is going away in the short term, number one. Number two, as a director, you know nothing about it. Number 3, you’ve had virtually no interaction besides a 15-minute exchange every other month with a CISO.”
--Austin Adams
Show and tell
“This year, I did a deep dive [with the board] into certain processes…Everyone of them has actually experienced a phishing attack. Also, they understand vulnerability. They quickly think there’s a patch that can be applied to that… We walked them through the tools we use when a phishing message comes in…and really simplified the message of what happens next…I showed them how quickly we could knock machines off the network, then do remediation… Showing them start to finish how we go through it, really helped.”
--Christopher Porter
Build confidence
“[Build confidence] by knowing your audience and understanding that board members measure everything as a function of time and as a function of target. So they want to see everything as measured by budget, as measured year or year and quarter over quarter, month over month: what’s the trend actually happening. And remember that most board members are LIFO processors, last in/first out. So you have to remind them what you told them the quarter before…The more consistently you deliver on what you promise, they more you’re going to increase confidence.”
--Yong-Gon Chon
“Confidence is an issue of answering two questions. One, are you doing what you said you would do. Two, are you doing the right things…And let’s start asking the right questions so I can answer that second question.”
--Kim Jones
Related
5 Questions Boards Should Ask about Cybersecurity
Presenting the Top 10 Risks to the Board