Enhancing CISO-Board communication: Three key questions for the CISO to answer
A challenging dynamic exists between the CISO and the Board of Directors. While both stakeholders focus on risk management, their approaches to risk and the language they use are notably different. Though regulations like the NIS2 directive and SEC cybersecurity disclosure rules have given CISOs a bigger seat at the table, the legal requirements and operational prioritization to meet them have exposed a difference in perspective and understanding between the two roles. The confusion and misconceptions that result from conversations about risk undermine organizations’ security governance and the effectiveness of their cybersecurity programs. Therefore, refining the dialogue between CISOs and board of directors is integral to improved security.
Differing definitions of risk
CISOs are focused on cyber risk management, the daily pressure to prioritize risk mitigation, and protecting the digital assets that underpin their organization’s business value. CISOs know that not all assets can be protected equally or in the same way, and the organization has to tolerate some cyber risk. However, these decisions require organizational context, including corporate strategy and initiatives, which some CISOs are not always privy to, especially those who are not truly part of the proverbial C-Suite.
To further the divide, boards have their own language that often differs from those with engineering and security backgrounds. They speak about corporate governance, enterprise risk management far beyond cybersecurity, business strategy and initiatives, and investment decisions.
For security leaders, it’s imperative that what they present to the board and other organizational stakeholders includes the right language and context. Ultimately, a lack of understanding or comprehension undermines effective security governance and the quality of cybersecurity programs. Security leaders must, in essence, learn how to speak to boards about risk more effectively.
The executive team must also give the CISO context around what the organization values, where it’s heading, and which risks require effective mitigation or are to be tolerated, per the board’s opinion. With that context, CISOs can better communicate whether cyber risks will impact corporate strategy and risks are being effectively managed – both financially and operationally.
Establishing a shared language
The quality of CISO and director communication can either stifle effective risk management or facilitate a more resilient organization. Where communication is sub-optimal, the root cause is typically in the questions that are asked by the board and the responses provided by the CISO. Questions frame our comprehension and how we learn. Good questions provoke mutual understanding.
Too frequently, however, CISOs are left trying to interpret what they assume the board wants to see in the presentations. Furthermore, a CISO’s presentations are often edited by other senior executives before being submitted to the board, inevitably changing the story. Either way, this ambiguity and intermediation serves no one.
Specifically, effective communication from the CISO to the board should indicate how accepted or unintended cyber risks could impact the organization’s operations, reputation, finances, and regulatory and contractual obligations. The CISO should be able to unequivocally provide the status of the organization’s cybersecurity program and how these risks are mitigated and managed throughout their lifecycle. Directors, too, need to ensure that the questions that they pose to CISOs foster a more unambiguous understanding of the organization’s risk profile. Risk management needs to be front and center in these discussions and mutually understood.
Setting KRIs for security success
While the list below is more detailed than the board will likely require or need to know, CISOs should be focused on building out data-driven security programs with key risk indicators (KRIs) for the coverage, operational risk reduction, and personnel factors that span digital asset classes for the organization, such as:
- Cloud services
- Applications
- Data
- Users
- Networks
- Devices
- Vendors & suppliers
Predetermined and well-defined KRIs for an organization’s digital assets should be mutually agreed upon and understood. These will then be the basis for metrics regularly presented to and discussed with the board.
Undefined questions lead to questionable answers
For better or worse (it’s worse), CISOs and security leaders have a vernacular replete with acronyms and domain nuance. For non-technical directors, interpreting a CISO’s presentation can lead to ambiguity and critical misunderstandings regarding an organization’s cyber risk resilience.
Questions like “Are we secure?” from board members miss the mark. No organization is fully secure, which is why risk tolerance needs to be discussed and understood. Similarly, “How do we compare to our peers in the industry?” neglects the unique circumstances of the organization. Industry peers and competitors may have widely different technology environments and tool stacks. One company may have mountains of technical debt, while another may be fully optimized and cloud-native. The risk profiles could not be more different, but they both operate in the same sector.
Answer these questions to improve organizational cybersecurity governance
Whether you are headed into your first board meeting or you are a seasoned veteran, it’s important to frame your presentation with the appropriate context and necessary details for your specific audience.
I find when preparing for these conversations, I first gather the information that the board needs to know and then I hypothesize about what they might want to know. Next, I think of questions I could be asked based upon the information I’ve gathered. Finally, I work backward from there to ensure my presentation aligns with the board’s fiduciary responsibilities and priorities regarding organizational risk management and strategy.
As a security-focused CEO who has been attending board meetings for decades as both an executive in the hot seat and as a board advisor, here are three essential questions that I would advise CISOs to be prepared to answer, whether or not they are explicitly asked:
- Are there material cyber risks that have been accepted in isolation, or absent input from the executive leadership team or other key stakeholders? If so, was this acceptance based on a lack of resources, be they financial, operational, or required personnel?
The board needs to understand how cyber risk management happens within the organization. A risk treatment or risk tolerance decision made in isolation is rarely appropriate. Disconnects related to risk treatment, including residual risk tolerance, are at the heart of too many breaches. Your goal as the CISO is to accurately convey the status of the portfolio of cyber risks being managed in the cybersecurity program and align this risk status to organizational strategy so that the risk treatment of known risks reflects organizational priority.
You should also seek assistance in determining what level of risk is acceptable, according to the board, for the organization. The board and the executive leadership team also have a responsibility to convey what level of risk they deem acceptable. Guessing will not work. Don’t leave risk treatment to chance and delegation. Communication on expectations is key here.
2. Have there been material changes to the risk factors the organization confronts? If so, is risk increasing or decreasing for these factors? Is this driven by external or internal dynamics or both? How prepared is the organization to respond to these changes?
The board should have an understanding of both the external threat landscape, implications of changing technology (think AI, microservices, etc.), and the status of the organization’s security controls. It’s important for the board and the executive leadership to be aware of industry-specific threats, as well as those risks that may target the organization’s technology portfolio. Similarly, the board should know if current security controls are effective in mitigating risks to desired risk tolerances.
For example, as we have seen with novel cloud-based attacks, there is a material change in the risk factors seen in on-premises attacks versus cloud attacks. Legacy controls may not be sufficient to address new operating models, such as those in the cloud. Sysdig’s Threat Research Team has proven that cloud attacks can occur in mere minutes. The speed of the cloud requires modern approaches to mitigate cloud-native attacks. While a board member may not read the 555 Benchmark, they need to know if the organization is prepared to address cloud threats at cloud speed.
The second half of this question focuses on the overall directionality of the security program, analogous to CFOs reporting on trends with key financial metrics. Like financial metrics, the status of security controls should be consistently reported quarter over quarter. In short, is the organization’s security program maturing over time and becoming more effective at mitigating existing risks and those from the use of new technologies?
3. What are the specific risk factors and dependencies that could catch our organization off-guard? Is there a reason why these factors are more challenging to minimize than other risks in our risk management portfolio?
You should always be forward-thinking. Think expansively about new forms of risk that may not be fully vetted by the organization’s risk management program.
Here, security-minded directors will most likely ask open-ended questions versus the broader “Are we secure?” questions. Your answer should engender a collaborative discussion on the organization’s resilience. No one wants to be blindsided by a risk someone could have reasonably anticipated and ignoring risk is never an option. Prioritizing and contextualizing risks based on discussion and collaboration is foundational to good corporate governance.
Conclusion
Questions are the vehicle for how we frame issues. The anxiety often associated with CISOs presenting to the board and board members trying to interpret the CISO’s presentation is counterproductive. Directors and CISOs need a structured but open dialogue — a dialogue that allows both stakeholders to validate understandings, priorities, and the current status of cybersecurity controls. CISOs who lead highly effective security programs benefit from this collaboration and trust.
As one of less than a handful of “born-of-the-cloud” and “built-for-the-cloud” cloud security companies, we feel pressure to not only enable you to understand your cybersecurity risks but be able to communicate them throughout your organization.
Later this year, we will be hosting a LinkedIn Live session and Q&A on this topic. If you are not yet, follow us on LinkedIn so you are alerted when the invite for the event goes live.