As cyber attacks become more prevalent, boards of directors are getting more engaged with cybersecurity. Their exact roles differ depending on factors such as the type of organization and location, but they’re increasingly concerned with plans to prevent ransomware, secure data, limit the fallout from attacks, and more.
To manage these concerns, they want to hear from CISOs. Yet reporting to the board can seem challenging at first. CISOs and other leaders involved with cybersecurity need to communicate on complex issues. And these issues continually evolve.
The good news is that CISOs generally don’t have to work as hard as they used to to get on boards’ radar.
In the past, “it was very difficult to just get the attention of the board and to convey what needs to be done to prepare the organization to prevent, detect and react accordingly,” says Philippe Vuilleumier, Chief Security Officer at telecom company Swisscom. Vuilleumier is also an advisory board member for Kovrr. “Now, you have an audience which is interested and probably better educated.”
Still, CISOs need to make some small yet powerful communication shifts to get through to boards. In our series on “what keeps a CISO up at night,” we’re looking at the top issues that CISOs and other IT leaders face. Here, we’ll explore insights from Vuilleumier on how CISOs can report to boards more effectively.
The first step toward better board reporting is finding a common language. Although boards care about cybersecurity, they might not be able to engage on technical topics. Instead, CISOs can discuss cybersecurity in more relatable terms.
“A good way to convey a message is based on risk,” advises Vuilleumier. “Especially when you are able to quantify that risk, then you bring the discussion into the realm of something they know. Boards understand the concept of financial risk and how that needs to be either reduced or eliminated.”
Globally, 88% of boards think of cybersecurity as a business risk, not just a technology risk, finds Gartner. So CISOs need to communicate in these terms, rather than getting caught up in technical jargon.
Related to finding a common language, CISOs need to communicate in simple terms that still get the job done.
“Your language needs to be adapted to your audience,” says Vuilleumier. “Leave all the acronyms at home and start speaking in plain language.”
Then, consider the topics that boards need to know. Try to anticipate common board questions so you can integrate those answers into your reporting.
“Typically, the questions that you would get are: How secure are we? Are we investing in the right areas? Are we doing better than our competition in terms of cybersecurity, etc.?” says Vuilleumier.
In terms of how to answer those questions, remember not to get overly technical.
Communicating in a common language means coming together on key metrics that help you measure cybersecurity. The details of whether to put answers within, say, a PowerPoint or save these for Q&A discussions depends on how a board prefers to receive important information, regardless of the department it comes from.
“Whatever you use, give the board an objective as possible view on where the company is in terms of security posture, risk posture, and what needs to be done to improve,” adds Vuilleumier.
Better board reporting also means communicating on a regular basis, rather than only reaching out to boards after an incident occurs. That said, you don’t have to communicate constantly to be effective. Instead, aim for the frequency and style that aligns with other areas of the business.
“Talking about cybersecurity risks shouldn't be something exceptional. It should be something that is normal, like how you would talk about financial risks or supply chain shortages,” explains Vuilleumier.
The frequency should also align with regular board reporting schedules. If it’s common for other departments to report, say, quarterly, then CISOs should do the same for cybersecurity. And if other leaders communicate with boards between formal meetings, such as by sending over relevant articles, then CISOs can do that for cyber risk too.
“It needs to fit the culture,” says Vuilleumier.
New risks might emerge between meetings, but that doesn’t mean CISOs need to keep board members’ phones ringing off the hook. Whatever the protocol is for handling other types of risks, that’s what CISOs can follow.
“Try to make cybersecurity something as normal as possible, like quality assurance or an HR function,” adds Vuilleumier.
Overall, reporting to the board doesn’t have to be as difficult as it first seems for CISOs. As long as you try to find a common language, communicate in simple, effective terms, and try to fit cybersecurity in as a regular part of the company, you can get on the same page with boards.
Want to see how Kovrr can help you financially quantify cyber risk so you can find a common language with boards? Book a demo with our experts today.