Cyber Security: Bridging the Gap between Boards and their CISO

Our cybersecurity landscape feels like the wild, wild west. Accessible, voluminous, and widely spread data resides vulnerably in the cloud. With limited financial resources, we see ever-increasing reports of well-funded, successful security breaches. Meanwhile, boards everywhere must engage in cybersecurity decisions that directly impact the profitability as well as the longevity of their organizations.

But how does a board member successfully navigate this environment when the information they so critically need looks and sounds like the IM their teenager just sent to their BFF? The jargon commonplace to a CISO is often difficult for boards to decipher and almost impossible to translate into business impact. The challenge, however, is this technical, dynamic, and high-velocity subject matter does not easily translate into the business terminology we use to make decisions. 

In fact, I was talking to a CISO from a Fortune100 – SaaS company just last month. He shared his board presentation with me, looking for feedback. Like most of us, his enterprise was facing yet another set of existential threats, and it was his responsibility to educate the board. He had a thorough, 40 slide presentation filled with operational metrics including, mean time to resolution, phishing tests, password cadences, security ratings, and non-human traffic (NHT). A technical audience would have been extremely impressed, but most board members would have been stunned into inaction. Oh, and did I mention he only had 20-30 minutes this quarter to present?  

Boards need answers to the big and strategic questions such as: 

• How do we prioritize investments in Cyber Security? 
• How secure are we relative to our industry?
• What are the most significant business risks from a breach, and how are we mitigating these risks today and in the future?

The disconnect between boards and their security teams is not sustainable. So, how do we close this gap to maximize the utility and the impact of both the board and the security team? 

Consider a two-pronged approach. (1) Educate yourself enough to be dangerous and (2) Create an open channel with the CISO to improve communications. It may require commitment, an open mind, and a collaborative environment, OR it could just be a conversation starter. Either way, it is a conversation we all need to have. 

In today’s blog, I’ll focus on the first prong, board cyber-security Education: 

(1) As a board member, it is not critical that you become a technical expert, but it is more important than ever to educate yourself on the topic. 

• Your company has already had or will have a breach as no business is immune. It will negatively affect your organization. According to IBM and the Ponemon Institute, the average cost of a data breach is just over $3.8 million.
• Do some internet research. Diligent, for example, wrote a great article on the basic principles every board of directors should know about cybersecurity. There are many more resources just a Google away.

(2) Enthusiastically support the following initiative: Everyone in the organization, including the board, should have appropriate cybersecurity awareness and training. Why? It makes your entire organization more secure, empowers your workforce, saves time and resources, and helps you maintain the trust of your customers. 

(3) Consider engaging and educating your security team/CISO and ask them specifically for the type of information you need (more on that subject in my next blog). Then, give them more than 30 minutes a quarter to present. You have a valuable resource. It’s important to maximize it. 

Considering these steps will help ensure your organization’s long-term viability – it’s worth the time and effort. Stay tuned for part two of this blog, where I discuss how to create an open channel with the security team/CISO as well as how to help guide them on their communications with the board.