Today’s business and technology landscape are constantly evolving and with that comes threats — particularly cybersecurity. Some cyber security chiefs (CISOs) may feel a sense of disconnect with their board of directors and must learn to effectively communicate cybersecurity to them in a way that is not overly technical.
CISOs should have regular dialogue with the board and be prepared to have a part in almost every board meeting. However, “communicating to the board is more of an art than it is science,” says Myrna Soto, Apogee executive advisors CEO, at a WSJ Pro Cybersecurity webinar.
Threats, especially cyber, are a forever process – so it’s not a one and done conversation with the board. CISOs should let the board know how the business can react to a total changing market condition or changing cyber threat, and how the business can respond to it, meanwhile keeping the business going.
“Ten years ago we were talking about bird flu, it never really materialized, but suddenly here’s COVID,” says Scott Howitt, McAfee CIO, at a WSJ Pro Cybersecurity webinar. “The threat isn’t necessarily imminent, but we should talk about it in case it happens,” he says.
With cyber incidents like SolarWinds and the Colonial Gas Pipeline, the Biden administration set out aggressive response and new frameworks. However, “we have to be very careful that board members do not believe that regulation, and or any type of oversight from the government will be the silver bullet,” says Soto. “Very often many of the regulations, or many of the standards that are drafted are very good, the only problem is that their static in nature, and obviously, we know that that our environment is everything but static.”
“I always recommend CISOs to do is whenever there’s an incident at another organization that is headline worthy, that you immediately start to prepare to explain to your board; while you may be different, what you may be doing that may be different, or how you may also be at risk, and that’s the opportunity to request support” says Soto.
For smaller organizations, that don’t have a board of directors, there should be at least a committee or council made up of the people who manage the different functions of the organization that the CISO can approach. A CISO must go into the board with a business head — it’s about 70% listening and 30% suggesting a solution, says Howitt.
Soto recommends three key things to convey in the meeting: the ability to protect company data, third party risk exposure, and the ability to manage privileged access management.
One thing CISOs must do is communicate how valuable data is — technology is everywhere. Howitt recalls working at a casino where the temperate of the chickens in the refrigerators were closely monitored at the proper temperature. For human health and safety, it was important that the company protected that data system.
CISOs, or any business leader should ask what they are doing to make sure that they have the least impact if something goes wrong to those technologies.
Tips for Communicating Cybersecurity to the Board
Chris Labash, Carnegie Mellon University Associate Teaching Professor said at a WSJ Pro Cybersecurity webinar, the most valuable things you can give board members is honesty, expertise, respect for their time, and clarity about what you want.
Most board members will be prepared as soon you enter the room and will have read the read-ahead (up to three times) before the meeting. Board members are time constrained and the CISO is just one thing on the agenda.
Labash recommends beginning with the BLUF – Bottom Line Up Front. Don’t just tell a story or walk board member through powerpoint slides, give context and demonstrate how it relates to what’s happening in the industry.
CISOs must be engaged and be engaging, “board members will never care about your presentation more than you do,” says Labash.
The basics of presentation delivery, such as having good eye contact and being articulate about things about the business are important. Don’t use jargon and don’t read your slides or a script off of an iPhone.
When speaking with the board, have energy, slow down, and don’t present. The meeting should be a conversation not a presentation.
If you’re bored by your own presentation, the audience will be too. “You can’t bore anyone into buying your product,” said advertising tycoon, David Ogilvy.
Labash recommends monitoring your cadence, slow down if talking fast. If you must use a PowerPoint, add visuals that add to the understanding and the least amount of cognitive load.
A CISO must look at the data and see what the data tells. “That method is a much more honest way of going about it than cherry picky data that supports some narrative,” said Labash.
“If you are presenting, you are losing,” says Labash. CISOs need to focus on what it is they need up front.
Anticipate questions the board is going to ask and incorporate them into the presentation. If addressing the board in a group, know who will answer what.
The more relaxed you are, the more you can convey how to help them solve a business problem.