Why Boards Tune Out CISOs: Lessons from 2 Conference Panels

December 12, 2019  Jeff B. Copeland

Surveys of corporate directors consistently show that boards aren’t satisfied with reporting from chief information security officers and rank them at the bottom in management for communication skills. At the recent Cyber Balance Sheet summit in New York, that disconnect was clearly on display in two separate discussion panels on the same topic “The Language of Cyber Risk,” one panel made up of board members and board consultants, followed by another of CISOs.

Some quotes from the discussions tell the story – first from the board panel, then from the CISO panel.

What boards want from CISOs: Hard numbers that show cyber risk and answer concerns about their fiduciary responsibilities

“Cyber risk is a risk like credit risk or any other. You don’t fix credit risk, you quantify it and you manage it.”

“The vast majority of boards are not technical people. We don’t even know the right questions to ask. So really, we are asking ‘Are we vulnerable and what’s the impact of that vulnerability?’”

“The CISO’s responsibility is to collaborate with the business folks and understand what are the metrics that most meaningfully measure our vulnerability and impact and if you can quantify that, that’s even better. Most of the people sitting on board of directors are either financial types by training or they’re business folks so they understand numbers and what is the impact.”

“Hopefully, in a few years, we can be at the same level of conversation with the cyber side that we have with Audit.”

“It’s very difficult to quantify cyber risk because so much of it is reputational…But we’re now at a point where we are able to begin to quantify what is the impact to the shareholders. Because at the end of the day that’s what boards are concerned about: shareholder value and their own liability.”

“I have seen pages and pages of information security reports and talk about where we are in the maturity level and laying all sorts of data on us and I walk away from that not really knowing what I just saw.”

What CISOs give boards: Story time with “maturity models” that compare the level of installed security controls with industry standards 

“We have a huge emphasis, and bigger than ever this year, on storytelling. We kicked off our meeting with the board with a two-minute video of the Equifax CEO press conference and that led to a discussion on what’s happening with our cyber maturity metrics.”

“If you get too heavily into the metrics, you get away from the story, it loses context, it becomes meaningless and we’re not a technology company. So really it’s about what’s your goal and that lends itself to a story.”

“There are some metrics behind the maturity we assign in some areas but a lot of that is also subjective. It’s a combination of quantifying and qualifying both what our maturity model level is or what our residual risk is.”

“We use maturity models that show where we are, what the industry averages are…We say, hey, if you give us $500,000 we can go this far. If you give $500,000 to somebody else, here’s the delta and that visual thing seems to resonate.”

[In response to a question about whether boards hold the infosecurity group responsible for return on security investments, either before or after] “No pressure on either end. I want to believe that we frame the story to say here’s the journey we are on and the journey changes by what we’re up against and how effective were we the last time that we checked. And because that journey has just been ongoing, we’ve never come back to, oh my gosh, did you waste money. It’s just constantly chipping away.”

To which one of the board panelists, a former top cybersecurity official at a government agency, replied by imagining how a former boss would react: “If you walked into the Secretary’s office and told him ‘It’s a journey,’ he would say ‘Yes, and the first part of the journey is you’ and throw you out of the office.”

It doesn’t have to be this way.

CISOs and corporate directors at leading companies are now finding common vocabulary, common goals and common ground around cyber risk through the FAIR risk quantification model and the RiskLens platform, purpose built on FAIR.

With risk quantification, technologists and business leaders view cyber risk in financial terms, supporting decision-making that’s transparent to all. FAIR and the RiskLens platform finally put cyber risk fully in line with the rest of enterprise risk management.  

FAIR is compatible with any of the commonly used maturity models – in fact, it enhances their use by showing return on investment for moving up the maturity scale.

Join the quantification revolution. Contact us for a demonstration of how FAIR and the RiskLens platform can synch boards and CISOs at your organization.