Boards are concerned about cybersecurity, specifically about how it impacts their reputation and securities (stock). The CISO is capable of assisting the organization in selecting, deploying, and managing the capabilities to address risks identified by the board. What sounds like a perfect match is often not, as many CISOs don't have the business acumen required to be an active participant in board meetings. Key messages are lost en route from the board to the CISO, resulting in a mismatch between expectations, roadmaps, and results.
As industry peers jump on the bandwagon to create executive services called the “office of the CISO,” we have seen executives and board members also create an “office of the CIO” to provide the coaching that CISOs need to be successful. This is due to increased interest in improving the business acumen among security leaders so they can have the expertise to deal with the board directly. The goal here is to maintain the integrity of the message from the source to the recipient in the hope that outcomes will be improved.
It's critically important that the CISO is able to observe body language, posture, and receive unfiltered guidance from the board, and vice versa. Without the full communication spectrum (verbal and nonverbal), concerns and directives can be based on assumptions that turn out to be inaccurate. For example, an IT executive at one of the fastest-growing tech firms in the Bay Area was asked by the board to present her plan for securing their intellectual property. The IT executive was able to discuss a few different high-level approaches, obtain feedback, and quickly obtain the support needed to build a security program from the ground up. While we [Rook Security] were brought in to help design, build, and support the new security program, the hard work had already been completed as the board was…on board.
The most common challenge that I see CISOs face when preparing messaging for the CIO to take to the board, or for the board directly, is thinking the details are more important than the objectives, or that the framework from—pick the relevant certification—is enough to provide the necessary education and background. Save that for the board book if the board utilizes background briefs in preparation for key decisions at board meetings. The details of securing the intellectual property and sensitive data of a company don't matter to the board. They need to know that there is a plan, the plan is reasonable and feasible, and that other executives they trust have been consulted and agree with the plan. The board doesn’t need a Chicken Little talking through all of the worst-case scenarios that already keep them up at night.
To remedy this situation, we like to see executive teams encourage board members who are concerned about data protection to spend more time with the CISO. To accomplish this, it is important to select a board coach (usually a board member of another organization who is retained to consult with your CISO) who can handle the unfiltered, raw, brash truths that may come from the CISO being coached. Encourage more direct interaction between the board coach and the CISO through one-on-one meetings at board retreats, periodic phone calls, and other opportunities to have discussions outside of the constraints of internal politics and tiptoeing that is common when executives are around their board. The results may surprise you.
This post is by J.J. Thompson, founder and CEO of Rook Security, an IT Security firm providing security strategy, crisis management, and next generation security operations services.