Talking to our firm’s board of directors about security isn’t a new responsibility for most security leaders; it’s been on our collective agendas for years. But many security leaders still second-guess the content and messages they share with their board. Despite years of talking about this problem, it remains unsolved in 2019. The good news: While the question lingers, substantial progress has been made — something we uncovered in our interviews of almost 100 senior security leaders and board members from around the globe.
The topic may sound the same, but the requirements have taken on a different, more elegant flavor — one that requires finesse and specificity. This change comes about as boards and organizations now prioritize security, media attention on high-profile breaches puts a harsh spotlight on firms at the worst possible time, and security leaders’ leadership styles mature. What’s more, security no longer needs to jump up and down and beg for the board’s attention; it’s being dragged in and put to task. One of our old bosses used the analogy of the firefly near the glow of the heat from the board. CISOs can either bask in the reflected light and gain illumination or get burned and fall down a chasm, receiving the harshest of punishments from the board: irrelevance. In short, boards want — and have a fiduciary responsibility to know about — security!
Boards are maturing both in their interest in and understanding of cybersecurity. They are now asking much more specific questions, particularly as they wish to increase this understanding. In conducting this research, we had the pleasure of working with board members who have been privy to this security journey. We wanted to understand where the gap is for them and how we can help close it.
The Board’s Perspective
One of the key problems in communicating security to any stakeholder group (including boards) is that we (security pros) assume that we know what our audience wants and proceed to throw information at them as per our desires. But because our expertise typically lies in the field of technology, not human psychology or communication, our assumptions about what they want are often far removed from reality. We rarely take the time to ask, for fear of appearing stupid. In this research, we did just that: We asked. As a result, we had the opportunity to understand board members’ journeys through the murky and often technical and confusing waters of cybersecurity. This made for well-rounded research and gave us a perspective from the other side of the coin.
Building A Dialogue
In 2019, superstar CISOs will be expected to go beyond providing a PowerPoint presentation to their boards of directors on the state of security. CISOs will be tasked with creating trusted dialogue and changing a culture of awareness to a culture of trust and understanding with the board of directors. They will need to do this for a number of reasons: to educate, to influence, to gain budget, to justify spending, to brief on incidents, and to reassure the board.
The Report And Template
This report (Forrester clients can view here), one of the authors’ all-time favorites, pulls together all of these different perspectives. It articulates in clear steps the sort of information and behavior your board needs from you and how you can meet this expectation. To make life easier, we have also created a presentation template that you’re free to use. Template or not, always remember: Successful communication goes well beyond a one-off slide deck. To successfully communicate with the board, you need to build trust and have a two-way dialogue; listen to and address their concerns. You have many nonsecurity tools and resources to guide you along the way; think executive coaches, board members who are willing to take the time to mentor and coach, books, and executives within your organization who have been through the same journey you’re on.