Home News Are CISOs failing in their communication to the Board?

Are CISOs failing in their communication to the Board?

Board meeting, CISO, leadership

CISO MAG Editorial

The volume of security attacks and threats to organizations has reached alarming proportions, so much so that “cybersecurity” and “cyber risk” have become frequently used words among Boards of Directors.

The Board understands risk, numbers, charts, reports, and strategy. But when news of organizations getting hacked, and the unfortunate consequences, trickles into the boardroom, it triggers waves of panic. The typical questions that arise are, “What if we were hit by that malware or ransomware next? How badly would that impact our business?”.

Board members are likely to be aware of terms like “malware,” “ransomware” and acronyms like DDoS and APT, that the tech industry notoriously creates every year (heard any new ones lately?). They might need a simple explanation of say, how ransomware spreads and what it does. They’re not asking for a crash course in cybersecurity, mind you. But someone who has a deep understanding of cybersecurity and knowledge of business operations has got to answer those nagging questions. That calls for a clear communication strategy. That person must talk cybersecurity using a business lexicon.

But how? What should and shouldn’t be said? 

For its October 2019 issue, CISO MAG reached out to global CISOs, C-level executives and strategists and asked them to share strategies and tips for effective communication. Ten experienced senior management executives who served or continue to serve organizations in government and the private sector shared their best practices and communication strategies. They can be regarded as missionaries of cybersecurity, responsible for spreading awareness, top-down. That’s not an easy task, especially when reaching out to overburdened employees who have their plates heaped with work. Rallying thousands of employees in different locations to talk about best practices and security policies is a Herculean task.

But it’s a job that CISOs need to do because they know that protecting the organization from hackers and malware has more to do with people and processes. The technology is a means to achieve it, but not an end in itself.

It’s the CISO’s job to identify the risks that are most likely to impact the business – and translate that into potential losses using absolute business terms and quantifiable metrics.

However, many CISOs are failing in their communication and are not successful in influencing Board decisions.

Capgemini’s The Modern, Connected CISO report revealed 60 percent of organizations have their CISO at key board meetings, but only half of business executives think the role has a high level of influence on management decisions. One of the reasons for this could be that C-suite and cybersecurity experts don’t talk the same language.

The CISOs we interviewed for this issue told us that using data points and speaking in terms of risk are some ways to get the Board’s attention. Using common security analogies to explain a threat is a better approach than using technical jargon.

And they also shared how they keep themselves abreast with developments and how they continually train others in the organization.

Bottomline: The CISO should be an excellent communicator to win the Board’s mindshare and approval for security investment.

To learn more about the communication strategies of global CISOs, read the October issue of CISO MAG here.