CEO and Co-Founder of Cyber Leadership Institute, a fast-growing community of cyberleaders from more than 50 countries.
“Beware the Ides of March,” a soothsayer warned Julius Caesar in Shakespeare’s tragic play that goes by the same name. The seer’s message was consequential but, unfortunately, shrouded in obscurity. Consequently, Caesar mocked the seer, saying, “He is a dreamer; let us leave him.” The Ides of March turned out to be a terrible day for Caesar, as he was fatally stabbed 23 times.
What does Shakespeare’s centuries-old tale have to do with cyber leadership? Everything! A growing number of corporate directors now appreciate the significance of cyber risk and are willing to exercise their oversight responsibilities. But despite this growing enthusiasm, a serious obstacle stands in the way: Like the soothsayer in Shakespeare’s play, most cyber security reports are still rooted in vague and low-level metrics, leaving boards unclear about their cyber state of affairs. Only 47% of corporate directors feel that they receive adequate cybersecurity information.
Based on my experience presenting cyber risk to multiple boards and my company’s work training hundreds of cyber leaders, the fastest way to close this expectations gap is for chief information security officers (CISOs) to raise their storytelling game, move away from tech speak and communicate cyber risk with clarity and impact.
Here are ten proven strategies CISOs can deploy to sharpen their board reports:
1. Develop an in-depth understanding of your board.
By doing your homework and acquainting yourself with the board’s deepest fears, priorities and expertise, you can move away from one-size-fits-all cyber risk reporting and provide actionable insights to the board. You will also save yourself from boring the board with information they already know and be able to empower them with concrete and relevant guidance.
2. Resist the temptation to filter the bad news.
If your capabilities are below the industry average, your program needs to be funded or key initiatives are at risk, then say it. Courage and transparency are the hallmarks of leading CISOs. As many silver-tongued CISOs have learned the hard way, sugar-coating high-rated risks is a mistake that can often come back to bite you.
A consistent theme is that many cyber leaders already knew of material risks their businesses ignored way before a significant breach occurred. But they either felt they needed to feel more empowered to speak up, or their message was carefully massaged as it moved up corporate hierarchies. It’s also only possible for the cyber security team to know some things. Be open to what you don’t know as long as you have a clear plan to identify and close gaps.
3. Leave negativity to doomsters.
Fearmongering or playing the victim projects a tone of weakness and harms your credibility. A better way is to assure the board that you have uncovered key risks and established an effective remediation program. Getting this right requires a careful balance—being transparent about key risks without creating a perception that the sky is falling.
4. Avoid vain metrics.
These kinds of metrics arouse emotions without driving meaningful change. For example, telling the board that you responded to 50,000 alerts only raises more questions. Do you have poorly tuned monitoring systems? Are threat actors disproportionally targeting your organization? The game changes, however, when you tell the board that 20% of your core applications, which support 80% of your revenue lines ($3.2 billion), do not have any offline backup—leaving them exposed to debilitating ransomware attacks.
5. Recognize that cybersecurity is just one item on the board agenda.
Board agendas are normally jampacked with critical matters and cyber security is just one of them. To capture the board’s limited attention, you must avoid fluff and get straight to the point. Writing with brevity means patiently working through several drafts, pruning clutter and stripping every sentence to its cleanest form. As William Strunk Jr. said, “Vigorous writing is concise. A sentence should contain no unnecessary words, a paragraph no unnecessary sentences, for the same reason that a drawing should have no unnecessary lines and a machine no unnecessary parts.”
6. Ask a fellow executive to peer review your draft reports.
We are too close to our creations to identify their flaws. If an executive struggles to understand a section, then rewrite it because it’s likely that the board will struggle, too. The final report must be flawless and accurate because recovering from bad first impressions is very difficult.
7. Nix the excessive technical lingo.
Terms like zero-trust, zero-days, APTs and CVEs can make cyber leaders feel educated, but it confuses the board. Instead, emphasize the why by rigorously tying key risks and strategies to business goals and corporate values. This requires the CISO to have a firm grasp of the business value chain and high-value digital assets.
8. Avoid information overload but be careful not to oversimplify.
Corporate directors are competent. By now, most directors are familiar with the main threat actors and their motives. Also, stay away from overused cliches like “It’s no longer a matter of if, but when we are hacked,” as this can sound patronizing and does little to advance your agenda.
9. Clearly and concisely explain critical risks outside of appetite.
What are the likely business impacts, risk drivers and mitigating controls? Most importantly, articulate what you are doing to reduce the material risk to acceptable levels.
10. Always anticipate board questions and concerns.
Remember, most directors sit on multiple boards and will likely note concerns raised elsewhere. Questions that come to mind include: Were we impacted by a recently publicized breach or vulnerability? Are we investing enough in cyber security? Has our control environment been independently validated? How robust are our controls against ransomware?
For too long, CISOs have advocated greater visibility and influence. But they also need to play their part, particularly by articulating this crucial business risk in ways non-IT business leaders find relatable and understandable.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here