Boards and CISOs: A Blueprint for the Bridge

In my last blog, Cyber Security: Bridging the Gap between Boards and their CISO, we looked at what board members can do to better engage with cybersecurity decisions, as they directly affect the profitability and longevity of the enterprise. The key is to maximize the utility and the impact of both the board and the security team.

The first step of the two-pronged approach was: Educating yourself enough to be dangerous.  

• Understand the likelihood of a breach and familiarize yourself with good cyber-security practices 
• Enthusiastically support the following key initiative: Everyone in the organization, including the board, should have appropriate cybersecurity awareness and training
• Engage and educate your security team/CISO, asking them specifically for the type of information you need, and then give them ample time each quarter to share their valuable insights. 

This final bullet point is the perfect segue into the second step of the two-pronged approach: Creating an open-channel to help guide your CISO on their communications. 

Chances are your security team/CISO will welcome ways to improve communications with the board. Not only will they be more valuable leaders, but it will support their efforts to prioritize the right investments to protect the enterprise. So, talk to your CISO and your security team. Explain the enterprise cybersecurity risks as you see them, open the door to suggestions, and offer some solutions.

(1) Start by encouraging your security team to limit their presentations to three slides.  

• Threats & Risk 
• Likely Business Impact
• Solutions

(2) Ask them to try to describe cyber risk in terms of actionable metrics tied to a balance sheet. For example, share the statistical likelihood of a breach as well as how much capital is at risk. By coupling the statistical probability of a loss with a dollar value tied to it, you give the board the information they need to determine the amount of cyber risk it can tolerate and prioritize its decisions accordingly.

(3) Finally, when trying to describe a technology or a solution, suggest the security team eliminate details about how the technology works and focus on what the technology can accomplish. For example:

• Does it decrease the chances of a breach, and by how much? 
• Does it decrease the amount of time your team will spend mitigating a breach? If so, how much time will it save your team, and how much money will it save the enterprise? 
• What is the expected ROI of a particular investment?
• Consider cost avoidance. Would a breach impact productivity, and what would that cost be to the enterprise? 

Finding better and better ways to communicate and evaluate security risks will ensure your organization's long-term viability. Outcomes should drive your security investment. Define them up-front and be prepared to pivot as needed. And treat cyber risk like traditional business risk – focus on identifying an acceptable tolerance and then weigh it against all other risks and strategic opportunities for the enterprise.

I would love to hear about the steps you have taken to close the gap between your board and security team. In the meantime, stay tuned for the final part of this blog series – a deeper dive into the slides and content you might request from your CISO.