How Can CISOs Talk to Boards?

If you’re a CISO, the board has probably called you in. They may have had questions about a security issue, an incident, or about strategy. And you probably entered that meeting with goals of your own.

How did it go?

If you’re like most CISOs, the board probably didn’t grasp the issue you were talking about, or didn’t feel it was important enough to give you the resources you needed.

As a CISO, understanding how to effectively communicate with the board can be your greatest asset.

At Broad Daylight, our specialty is coaching CISOs to better communicate with boards.

This image doesn’t have to fill you with fear. As a CISO, you can learn to communicate with your board much more effectively — and better achieve your goals in the process.

In this post, I’ll walk through some common mistakes, and share some basic tips for creating a smoother, more productive CISO-board relationship.

Common mistakes

Communications between the CISO and the board break down all the time. These breakdowns make it difficult for CISOs to secure their organizations and their users.

In CISO-board communications, some issues occur again and again.

  1. Explaining the threat, and how it would be exploited. You may be able to explain threats to a nontechnical audience. But should you? The board doesn’t care about how the threat is enacted. The board cares about the impact of the threat. More on this below.
  2. Putting the threat in terms of ROI or dollar values. Amazingly, this advice is standard-issue in CISO-board relations. Unfortunately, it’s completely wrong. Why? Because, when board members talk about ROI, the dollar values they usually hear are in the billions. CISOs often cite ROIs in the millions, or less.

When CISOs discuss security in dollar values, board members get the idea that security is “around the margins.” It’s not, and CISOs know this. Nevertheless, CISOs need a different way of discussing security with board members.

So what can a CISO do?

How to talk to the board about security

Board members are people

CISOs need to understand who the board members are and understand why they’re sitting in that room.

  • Are they on the board of other companies?
  • If so, what kind of companies?
  • What decisions have they made in the past?
  • What’s their relationship with other C-level executives at the company, or with each other?

Board members are human, and they respond to arguments about human impacts.

Performing your fiduciary duty

It’s your fiduciary duty to communicate the impact of known risks. This is different from explaining the threat vector technically — depending on board members’ expertise, you may actually be failing in your fiduciary duty by explaining a threat in terms they can’t understand!

So don’t skimp on your duty. The due diligence you perform on board members isn’t just to get what you want. It empowers you to preform your fiduciary duty — to speak with board members, rather than at them.

Summary

In CISO-board relations, there’s a lot more to talk about than fits into this post. How do you answer the question, “How likely is it that this threat will hurt us?” How do you frame security in terms of upside, rather than downside? At Broad Daylight, we can help you with these questions, and more.

But for now, remember this: Board members are people. Understand their goals to understand how security affects them. With this language, you can better perform your fiduciary duty — and more effectively advocate for your agenda.

If you’re a CISO who could use some coaching on board communications, get in touch with us. We provide personalized coaching at companies of all sizes.

Nick Merrill (PhD 2018, UC Berkeley) is the founder and managing consultant of Broad Daylight.