This week security savants from around the world flocked to the Moscone Center for the RSA Conference 2016. In the midst of conference show floor activity that touted the latest security technologies that aim to give CISOs a good night’s sleep, a prominent group of security executives gathered at the W Hotel to discuss an important but unspoken issue; communicating effectively with their board.
Technology is an overarching problem that keeps security pros up at night, but emphasizing an organization’s cyber risk to the board in a compelling manner is right up there. From miscalculating data to serving up baffling spreadsheets, there is a slew of ineffective methods still being used today. Rather than focus on the impractical methods, the group – brought together by security executive networking group T.E.N. – shined a light on useful approaches they take today.
Taking part in the panel discussion were CISOs representing major financial institutions, retail companies, in addition to the government sector. Here are the four key takeaways that summarize the discussion on what CISO’s can adopt when they report to their board.
1. Use the KISS method
We’re all familiar with this acronym, but CISOs don’t put it to use as often as they should. Collecting vast amounts of data from a company’s security arsenal is a headache, but at the end of the day, getting in the weeds with the information can work against CISOs. If the data gets remotely complex, confusion sets in for board members. Instead, remember that the board is there to make some big decisions. For them, looking at too many details where they can’t understand the big picture isn’t going to go over well. It’s time for CISOs to grab their paintbrush and do their best Bob Ross impression because it’s their duty to paint that picture for the board.
2. Be transparent
Transparency and accountability should be a big part of a CISOs messaging. Let’s face it, security pros are seen as the bearers of bad news. But it’s important to be completely open and up front about a company’s risk posture. Being transparent and creating awareness with the board from the offset will not only educate them, but help them understand that security isn’t a technology problem, it’s a business risk problem – that’s when they’ll have their aha! moment.
3. Have a proactive, not reactive strategy
The security department has traditionally been seen as serving a reactive rather than proactive purpose. It’s time for security executives to do away with that notion by implementing a proactive strategy. Naturally, they will present the board with the risks to the company, but the bigger message should include the steps taken to address them. Providing an unbiased view is important, that’s why data has to be a part of the strategy. This will let the board know how the company’s security approach is trending.
4. Speak their language
As the security space matures, so does the board. While some members may be more tech-savvy than others, it’s important to stay away from geek speak. As much as we love to talk about the ins and outs of vulnerabilities, this isn’t the time or place for that. Instead, focus on communicating the top risks in simple terms and not bog them down with smaller, intricate issues. Throwing around buzzwords and getting too in the weeds won’t go over well.
Keeping these four tips in mind will get CISO’s ahead of the game when it comes to their next board meeting. It’s time to stop telling the board what they want to hear, and begin communicating the information they need to hear in an effective way.