CNN Analyst Col. Cedric Leighton (U.S. Air Force, Ret.) kicked off a recent SecureWorld web conference with a level-set on where cybersecurity stands on reporting to the board.
The board wants to know more about cybersecurity
The good news is that the board of directors wants to play a part.
"Your board wants to be active on this, but you have to help do some translation for them around cybersecurity and train them to some degree."
The challenge for security leaders is remembering that the board faces continuous inputs on cyber risk from many directions. It might be coming from other business leaders, the mainstream media, or even social media.
Part of the CISO role is to help the organization separate the wheat from the chaff to see how much of that information is correct and how much of it matters to the organization.
"I think you need to transform yourself into a sort of intelligence officer, where you have a clear understanding of threats and can present those," Leighton says.
This leads to an important question: When you report this intelligence to the board, do you know what they are looking for or care most about? You should, and it should inform how you approach things.
Cybersecurity reporting, each board is different
In a poll question during the web conference, attendees were asked what their boards care about when it comes to security. This was a multiple-choice question:
Mike Maziarz, Chief Marketing Officer of SecurityScorecard, says the results verify the idea that each board is different. Maziarz was the second presenter in the web conference.
What is a CMO doing on a cybersecurity web conference?
"If you wonder why the marketing guy is here, it's because my role is to share messages effectively over multiple channels, and I'm excited to share some of my insights when it comes to communicating with the board."
Strategies for communicating cybersecurity to the board
For starters, he says there are three key things to keep in mind:
1. Boards can't improve what they don't understand.
2. You can learn to speak their language.
3. You can unlock board engagement and better decision making with an easy to understand framework and related benchmarks.
Maziarz suggests going back to the basics as a starting point by reminding the board of the following:
- Adversaries do not play by the rules.
- A hacker's mindset is unique.
- They're adopting tech faster than we are.
- They'll usually attack the weakest link, not the lock.
And when you are in the room presenting to the board—or discussing security investment with your CFO, for example—try to see the question behind their question.
Another consideration: how well your message travels. How does it resonate through the C-suite to the boardroom even when you are no longer in the room?
Maziarz also shared the S.C.O.R.E. framework his CISO uses to present to the board. The acronym stands for Secrets, Climate, Observations, Ratings, and Employees.
Turning your cybersecurity mission into a story for the board
Mitch Parker, CISO at Indiana University Health, presented next in the web conference, and he says you must create a story for the board around security.
You should start by figuring out who your board members are and what they value individually, if possible.
"If you do not do your research, you will be eaten alive," says Parker.
He suggests following them on social media and looking at them on LinkedIn. Are they sharing or liking certain kinds of articles or posts that reveal their hot button issues? Whatever you say about security will be viewed through each board member's point of view.
Next, he says you must understand your organization and where the board of directors and your CEO want to take it. You can build your presentation on cybersecurity around those themes.
"You want to first talk about your core initiatives. Talk about the core initiatives that tie into the core missions and value to the organization. Talk about what they directly support, even though they might not be core to your mission, the core to the organization.
Talk about what they are, talk about how they fit, talk about the most important ones, because realistically, if you're working in security, you're part of every core issue, even if it's a minor part. And you've got to show your part of those core initiatives."
And here's another thing you can practice before any board presentation: Be ready to explain what your team does without mentioning tools or technical solutions, and be able to do this in about 30 seconds.
On-demand cybersecurity webinar: presenting to the board
Do you need to present cybersecurity to the board? Do you need to prepare your CEO or your CIO to do it? Watch this complimentary web conference (on demand) to make sure you are on track: Communicating Cybersecurity to the Board.
The web conference is full of actionable information you can implement immediately to prepare for your next critical presentation on cybersecurity.