CISO do’s and don’ts for board reporting
Security is no longer just a job for IT – it impacts all areas of a business, from brand perception to the bottom line. As a result, CISOs are increasingly being asked to deliver cybersecurity reports to their boards, including information on global trends, security performance, security strategy, and security spend.
In an ideal world, this increase in board visibility would foster a new collaborative relationship between security leaders and their executive stakeholders; one that breaks down traditional security silos and allows security strategy to become a shared responsibility more aligned with overall business goals and objectives.
But the reality is something different for many organizations, with frustration being felt on both sides: According to Gartner, by 2022, only five percent of CISOs will report security metrics that are useful to their senior business executives. On the flip side, research shows that a majority (56 percent) of security leaders feel that their corporate boards are not active participants when developing and executing the company’s security strategy.
How can CISOs do their part in moving the conversation forward?
The biggest impediments when it comes to effective board involvement in cybersecurity boil down to not having the right communication strategy and overlooking the nuances of communicating with the audience at hand. For example, security executives often find it challenging to communicate security updates to board members, who are typically incredibly well-versed in business risk but may struggle to interpret technical security reports.
Rather than an update on firewalls and intrusion detection software deployments, what board members need is an acute understanding of their business’s security posture and risk to inform better business decisions. Read on for critical steps security executives can take to effectively communicate with their business risk-driven boards for smoother, data-driven conversations to give them just that.
Zero in on the right topics
When reporting to the board, CISOs should provide an overview of noteworthy issues that may impact executive-level decision making. For example, security leaders should come prepared to address any high-profile breaches that occurred over the previous quarter, particularly those that affect similar size and sector organizations or those with the same technologies. Engaging with board members on industry trends is an important way of informing members while establishing personal credibility.
CISOs should also identify noteworthy legal or regulatory issues and their application or impact on the business. Whether the information is the latest notice from a federal regulator about its yearly examination priorities, emerging legislation in the U.S. Congress, or new global security requirements overseas, CISOs should be able to analyze the application of these issues to the business and provide brief, informative insights for board members. This is a great way for CISOs to partner with their legal teams to deliver relevant analysis.
Use meaningful security performance metrics
At the end of the day, boards want information but they desire meaningful metrics above all. Boards want to measure security the same way they measure other aspects of the business – with an objective, quantitative update on the effectiveness of the company’s cybersecurity performance.
CISOs must be able to talk to progress against security performance goals and objectives.
Questions to prepare for include:
- How do we quantitatively measure our performance?
- Do we leverage objective data and track performance over time?
- Are we improving our performance?
- If security performance is on the decline, what is the reason and what steps are being taken to fix it?
- How does our performance compare to our peers or competitors in our industry?
In addition to leveraging their own internal data, CISOs should be tapping objective, continuous monitoring data that easily quantifies their business’s internal cybersecurity posture, their industry peers’ or competitors’ posture for accurate benchmarking. The right metrics provide a dynamic, tangible measurement of cybersecurity performance and can be used to communicate either improvement or deterioration over time, and can help CISOs easily map any fluctuation back to broader business goals and objectives. Many CISOs have found that leveraging security ratings provides an excellent, independent and objective overview for boards to measure the organization’s efforts.
Focus on telling a story
When communicating with the board, CISOs need to be more than security experts – they need to be storytellers. The best CISOs are able to talk about security incidents, regulation and policy, and the business’s security performance in an engaging, narrative-driven way that is focused on operational and financial risk.
Effective communication to the board also includes telling a highly visual story. Beyond Excel spreadsheets, CISOs should build presentations that discuss and showcase the company’s security progress visually, through charts, graphs and images. CISOs should set aside time to invest in the measurements and aesthetic of the presentation, but also focus on distilling it down to effectively communicate the most business-critical takeaways.
Stay in constant contact
Most boards are addressing cyber risk at least on a semi-annual basis, if not every quarter to review performance and progress toward goals and includes board-level representation. The cybersecurity landscape changes so rapidly that a regular cadence is required to most effectively capture updates to the security program and potential threats.
Regular meetings will provide a regular moment in time to update and engage with the board on the company’s cybersecurity overall strategy, previous risk, and plans to avoid emerging risks transparently.
Cybersecurity should be considered a living, breathing part of an organization’s ecosystem, not just a siloed department. Security risks can impact customer and shareholder relationships, the bottom line, and a company’s overall reputation, and should be understood and prioritized by all members of an organization. Thinking of security as a business enabler – not just a cost center – is an important mindset for the CISO to adopt to achieve greater board and executive-level buy-in.
By leveraging these methods of communication and reporting, CSOs and CISOs can effectively collaborate on cybersecurity strategy with the board, and build a stronger, more resilient yet fluid plan for cyber performance improvement.