CISOs on the Board and 5 Actions They Should Take
When you’re the chief information security officer (CISO) for an organization, it’s concerning that too frequently most board members don’t understand what you do.
When you’re the chief information security officer (CISO) for an organization, it’s concerning that too frequently most board members don’t understand what you do. One reason is that your job definition is difficult to describe in plain, non-technical language. After all, your primary responsibility is to defend your organization’s assets against difficult to describe adversaries and attacks that may not have occurred yet. Further obscuring your CISO role is an organizational structure that often filters your core messages through the chief information officer (CIO).
Those in the boardroom need straight, unfiltered information about security threats, responses, and mitigation. The CISO must function as an executive—someone who can address the executive leadership team (ELT), the chief executive officer (CEO), audit committee, and the board. When you consider how your organization must deal with an increasingly complex threat landscape, the CISO at the very least should be providing regular, in person and never by proxy, board updates or – better yet – be a board advisor.
The journey to the boardroom
Your board needs directors who have a firm understanding of the security risks facing the organization, and the CISO is in the unique and critical position to inform them about these, along with the required capabilities to defend and respond to them. The board needs to understand both the incidents that might occur, and what can be done to expose and mitigate them. The organization, led by the CISO, must be prepared for an attack and the resulting fallout.
But gaining a seat on the board is complex, so how do you start the journey?
Board meetings are unfamiliar territory for most CISOs. This is a venue where technical topics are rarely discussed, and when they are, they’re rarely about information security. Even at lower levels—ELT meetings and audit or governance committees—the reception isn’t much warmer. A risk or privacy officer, or worse the CIO, might offer to represent your message, but this translates to it being filtered by additional layers of bureaucracy. Information security continues to be under-prioritized as a result.
When too many management levels isolate you from the board, your journey to the boardroom can be a long one. It begins by joining the ELT and various board subcommittees. Next, you must make presentations to the board, advancing your InfoSec agenda, play the educator, and hold the audience accountable.
Before starting your journey, be prepared to demonstrate that your responsibility extends far beyond security for security’s sake. Such preparation takes time, during which you should focus on these five steps:
1. Put an end to the message filtering
As the CISO, make certain your messages—both downstream and up—are never filtered. They should always be complete with all needed details. Don’t feel compelled to sugarcoat or dumb down severity in your risk reporting; limiting its impact places you in a career-limiting position, where the only opportunity to convey the truth is during a crisis. In so doing you may end up taking an unnecessary share of the blame should a negative event occur.
Strive to be an effective communicator to ensure your messages are delivered in a style and tone appropriate to the board. Take every opportunity to document, report, and share risk information with the ELT, and subcommittees, before going to the board.
2. Beware of proxies and demand direct communication
Exabeam’s 2018 State of the SOC Report reveals significant perception differences between frontline security operations center (SOC) staff and those in upper management. Is this because of the inadequacy of legacy technology, staffing, and alert overload? It’s important to know why.
Information channels are rarely direct. Most critical messages move through multiple layers of middle management, with each “improving” the message until it no longer provides needed impact. Each proxy further isolates the key decision makers from the information they need to make informed and rational decisions.
Your absence from the board is part of the problem. While board membership and participation is part of the solution, early in your tenure you should welcome and demand direct conversations with staff and the wider organization.
3. Fix the organizational structure
The CISO position is typically buried within the information technology (IT) department. This might seem like a natural fit, but it doesn’t usually result in an ideal security environment. Security teams are successful only when they respond quickly to events, yet IT is generally focused on minimizing disruption—even if this means doing nothing.
You and your staff need outside support to create a relevant and resilient security organization, which often means moving information security out of IT. In many forward-thinking companies, the CISO reports to the CEO, meaning the CISO reports into the board. This makes it easier for the CISO to transition to a board advisor role, and subcommittee membership.
4. Focus on cooperation
You might think the key to your success is having an ample budget. While this is certainly important, organizational cooperation is critical to your success as a CISO. Boards often assume that budget alone will fix any problem, but it also takes cooperation of all stakeholders to improve your odds of success.
Continue to promote InfoSec as a high priority to the board even after they have allocated funds. Awareness is first, budget is second, broad cooperation third – all leading to a balanced and accountable security culture. Build new capabilities, coupled with their widespread adoption to succeed. Routinely ask your team members two questions:
- What security capabilities have you created (and why)?
- How successful have you been in getting them adopted?
A world class security capability is a source of pride, and once fully adopted is fully benefited from.
5. Make sure your messages include perspective
Be mindful that most board members know very little about InfoSec and the pain points your teams encounter on a daily basis. They might also be unaware of the risk the entire company faces if breached. A big part of your job is to offer perspective you’ve acquired by experiencing the pains of working in information security firsthand.
Use plain language to effectively communicate your perspective. Over time there must be a real understanding of cybersecurity risk, just as any ELT or board member should know accounting and finance – the days of security ignorance are gone.
Demonstrate that you’re there to advise, protect organizational assets, and insulate the board from negative outcomes. And when appropriate, consider bringing in outside advisors to help explain specific issues, such as resources that might be lost in a breach, the productivity impact, the questioning of competence, audit and regulatory issues, and legal exposure. All are pain points that board members can understand and relate to.
CISOs on the board are critical given today’s cyber threat landscape
Your journey to the boardroom can be a long one. While things move rapidly during a crisis, your success or failure is too often in the hands of others and is discussed in the meetings you’re not invited to—for an asymmetric fight against the onslaught of cyber threats and adversaries. But the real fight is all too often the internal struggle—asking for wider cooperation within the company that you’re committed to defend.
As a CISO in today’s threat landscape, a major part of your job is to help your board understand exactly what they need to know to let your team effectively protect their organization.