CISO's Strategy to Effectively Communicate with the Board

Building and implementing a cyber security program to understand an organization’s environment and risk is one of the many aspects of a CISO’s role. One of the keys to building an effective and customized security program is in a CISO’s ability to communicate with the board and executive leaders in an organization. 

Every security program will regularly need to update the solutions and technology they’re using to stay on top of changing cyber threats and new regulatory requirements. Changes like these often have an impact on the organization outside of the security program, whether through onboarding additional resources or changes in budget for new solutions. 

Communicating with the board, executive, or other organizational decision-makers is a critical part of a CISO’s job, but that doesn’t mean it’s always simple or straightforward. 

We’ve put together some tips to help CISOs and other security leaders communicate seamlessly and effectively with executive leadership to make sure that the process goes smoothly. 

 Common Issues in Your Audience 

Apathy is one of the common issues that a CISO might encounter when presenting security information to executives. CISOSHARE CEO, Mike Gentile, addresses this in his book, CISO Soft Skills. 

The problem of apathy is characterized by a lack of interest in the topic at hand and is often caused by fear or a lack of understanding. The executive team is unlikely to sign off on something unless they fully understand the subject or the way it relates to the rest of the organization. 

While apathy means that other executives are unlikely to micromanage security, a CISO often has to overcome it in order to get complete buy-in from the team. 

Align with Business Strategy 

One of the best ways to get executive approval for cyber security projects is to frame it in a way that lines up with the organization’s goals. 

When presenting to the executive team, CISOs should have a firm understanding of the organization’s business strategy and should frame the proposed security projects and initiatives accordingly. Clearly illustrating how a security project might help the organization reach goals faster will make it easier to understand and place the project in the context of the bigger picture. 

Keep it Simple 

The executive team won’t necessarily be knowledgeable about technical jargon and cyber security-specific acronyms. 

Make sure to keep presentations and explanations at a level that a non-security expert can understand; use analogies that your audience can relate to. Visual aids, statistics, and concrete examples and results are all helpful tools to making a case about security. 

Taking the time to explain how a cyber-attack might affect the organization and the impact it could have on the business can make a difference in how the team receives and decides on a project. 

Clearly Define Your Plan 

As you present a topic to the board, clearly outline specific options, next steps, and the potential impacts for each of these options. 

Provide a timeline for hitting specific goals, and make sure to keep this timeline updated and summarized at the end of every meeting. This will keep everyone on the same page about any upcoming security initiatives, as well as a regular report on how past and current projects are progressing. 

The key to successful communication is knowing your audience and making a connection with them to bring security out of the mystical realm of the scary and unknown. Showing how security can complement or impact an organization’s bottom line can give a CISO the momentum needed to push projects forward, rather than being an obstacle to overcome.