CISO’s Communication Strategy
Building and implementing an information security plan is one of the top responsibilities of a chief information security officer, or CISO. No matter what industry their organization exists in, a security plan will have common elements such as policies and procedures, new and updated technology, as well as an information security team to help put that plan into place. Information security plans also share something else in common: they often require approval from a board of directors in order to receive funding and the ability to move forward.
In order to receive this approval, it’s essential that a technology-minded CISO be able to effectively communicate with their organization’s board of directors – people who may not care about technology or cybersecurity. When the two worlds collide, problems can arise.
Dealing with Apathy
Michael Gentile, the CEO of CISOSHARE, addresses this issue in his book, CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives. While lack of interest is one cause of board-level apathy about cybersecurity, the root cause is often fear and a lack of understanding.
“There is nothing like fear to create anxiety and unpredictability in an executive,” Gentile writes. He goes on: “Board members are generally unwilling to mandate or wholeheartedly endorse something unless they fully understand the subject or understand the organization’s need for it.”
Gentile points out that the positive aspect of board apathy is that they’re unlikely to micromanage the security team’s activities. The bad aspect, however, is that apathy may make it difficult to receive the necessary funding or approval for strategies to deal with cyber attacks and security breaches.
Tips for Communicating with the Board
Because of this, CISOs must learn how to communicate seamlessly and effectively with board members who may not have a background in the technology or cyber security realms. The following tips can make that communication process go more smoothly.
Align with Their Business Strategy
One of the best ways for a CISO to get board approval for cybersecurity goals is to make sure that those goals are the board’s idea. To explain further: the CISO should develop a complete understanding of the board’s business strategy and make sure to communicate precisely how security plan objectives will help that business strategy succeed. Don’t just use statistics; discuss how a cybersecurity breach could impact the organization’s bottom line. When a board understands how a security plan aligns with their own plans and ideas, they’re much more likely to greenlight it.
Keep It Simple
A board “is in charge because of their extensive knowledge; they are smart folks,” Gentile writes. Just because they’re smart doesn’t mean that they’re knowledgeable about the technical jargon and acronyms of the cybersecurity world. Explain things from a layperson’s perspective and use analogies to which the board members can relate. Demonstrate precisely how a cyberattack that affects the organization might take place and what the results could be. Also, plan to bring along any visual aids that can assist in making key points.
Clearly Define the Plan
After identifying potential threats and weaknesses and explaining how they could impact the organization, clearly lay out the information security plans and priorities. Define a specific timeline on which these goals will take place. At every meeting with the board, review this timeline and summarize the progress the team has made. This will not only help the board understand future information security initiatives; it will give them a report on how past and current initiatives are progressing.
When a CISO meets with their board of directors, it’s important for them to know their audience and attempt to make a connection with them. Once the topic of cybersecurity no longer lies in the realm of the unknown and it’s clear how an information security plan can improve an organization’s bottom line by mitigating and quickly dealing with threats, the board can lend a CISO momentum, rather than being a barrier to getting things done.