Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Improving CISO-board communication: Partnership, metrics essential

With data breaches threatening the bottom line, CISO-board partnership is crucial. A new report by Kudelski Security looks at how to improve security communication with the board.

"Are we secure?"

That's the most common -- and challenging -- question that CISOs get asked by their board members, according to a recent report published by Kudelski Security. While there is no clear yes or no answer, the key is to first understand exactly what and why the board is asking, said John Hellickson, managing director of global strategy and governance at Kudelski Security.

"It is important to make it clear to the board that there is no such thing as perfect security," Hellickson said.

The report, titled "Cyber Board Communications & Metrics -- Challenging Questions from the Boardroom," highlights top questions CISOs are asked by their board members and offers strategies to address them. For example, one idea to help facilitate an effective CISO-board communication is to bolster board presentations with metrics and visuals.

The biggest takeaway for CISOs is that boards of directors are taking more interest in the security posture of their organizations, Kudelski Security CEO Rich Fennessy said. This provides both a challenge and an opportunity for CISOs, Fennessy added.

"The challenge is that a majority of CISOs, even seasoned ones, have difficulty understanding what boards are looking for and then providing this in a way that resonates," Fennessy said. "We feel that a new approach to communicating cyber risk is needed and this represents the opportunity."

A new approach to CISO-board communication

One of the most important findings from the report is the need for a new approach to communication between the CISOs and their organization's board members.

Rich Fennessy, CEO, Kudelski SecurityRich Fennessy

In today's volatile security landscape, it is vital that CISOs present the need to invest in a robust and mature cybersecurity program, Fennessy stressed. A partnership between CISOs and their board of directors is crucial to this end, he added, and the effectiveness of any company's security program depends on it.

Bryce Austin, CEO, TCE StrategyBryce Austin

To improve CISO-board communication, CISOs need to explain cybersecurity issues to the board in layman's terms, according to Bryce Austin, CEO at TCE Strategy and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.

"Explain the concepts of multifactor authentication, encryption in motion and at rest, zero-day vulnerabilities and GDPR," Austin said. "The board needs to understand what these concepts and regulations are and how they impact their company."

But because CISOs are given limited time to interact with the board, they have to learn how to engage quickly and partner for the common cause, Hellickson said. This means getting to know their organization, its vision and mission. CISO-board communication should become easier as CISOs learn more about the board's goals for the organization, share relevant security information and consider business needs in their presentations, he added.

John Hellickson, managing director, global strategy and governance, Kudelski SecurityJohn Hellickson

"CISOs will start to create a bridge between the technology and the organizations' broader issues and challenges; linking security with the ability of the organization to go to market, operate efficiently, minimize downtime, reduce costs and finally become a key partner to the board," Hellickson said.

Metrics matter

Metrics are an important tool for CISOs because they help answer key questions the board is likely to ask and help CISOs make their case, Hellickson said. Boards prefer objective, quantitative evidence, but both quantitative and qualitative metrics can be effective, he added.

Even the most seasoned CISOs find it challenging to translate security and risk information into business language that provides meaningful insight to boards and business leaders, he said.

"Traditionally, CISOs have presented boards with metrics related to technical and security operations, which are hard to understand," he added. "Presenting them can even reduce trust in their ability as security leaders."

The challenge is that a majority of CISOs, even seasoned ones, have difficulty understanding what boards are looking for and then providing this in a way that resonates.
Rich FennessyCEO, Kudelski Security

Boards are fact and financially driven, Austin reinforced. They want relevant data presented to them so that they can make the best decisions for their organization.

Core quantitative metrics like dwell time, details of new vulnerabilities discovered versus remediated, patch management data, number of incidents and vulnerabilities, and number of non-remediated risks should be part of the presentation, Hellickson said.

Other metrics to include are outcomes of initiatives that aimed to reduce risk; how security has integrated with application development; actions taken to improve the company's security risk posture; risks the organization has accepted and how it aligns to company's agreed-upon risk tolerance, he added.

"We also think it is helpful to talk about security as a journey, showing where you're at today, where you want to get to and where you've made noteworthy progress," Hellickson said.

Dig Deeper on Enterprise information security management

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

What kind of metrics should be included in presentations to improve security communication with the board?
Cancel
Great question Mekhala. If you think of most Boards, they are comprised of great business leaders, who are experts in their business field. Some will have technical knowledge, but others may not. The best metrics you can provide those that enable a business discussion about technical topics but in simplified business terms. What are the organization's risks, what maturity levels should we have, and then what maturity levels do you have? Enable the business conversation in a way that educates as well as informs, and you will be successful in building board confidence and partnership.

https://cmmiinstitute.com/products/cybermaturity
Cancel
Thanks, Dean! And yes, it is important to translate technical details about cybersecurity into business terms when talking to the board.
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close