Boards of Directors are being held to higher standards for cybersecurity governance, so it is increasingly common that Chief Information Security Officers report to their boards.
This can be nerve-racking for security professionals who have never presented to the board before, especially if they have not had to deal with non-technical executives, or have had the CIO providing “air cover”.
CISOs must know and understand the information needs of the Board of Directors. This often means answering the question “what’s in it for me?” from their perspective. Directors are often limited in their understanding of information security programs, especially those that have business experiences in other than technology areas. This is even true for Chief Information Officers who may have a deep and profound understanding of general technology questions, but don’t understand security programs at the same level as a security professional. Consequently, directors often ask simple questions, which sometimes require more complex answers. If you are responding to a director’s question, you are better off keeping it as simple as possible, but not so simple as to be misleading or incomplete.
Typical questions asked by board members are:
- Are we secure?
- Do you have the right budget?
- Do you have the right staff?
- Are you getting the right support for management?
- Have hackers breached our systems?
- How does our security program compare with our competitors?
- How effective is our security program?
While not a comprehensive list, it’s indicative of the questions board members will ask. The questions are also deceptively simple, like the question: “are we secure?” You cannot answer this question with a simple “yes” or “no”. The most appropriate response to this type of question needs to be the very unsatisfying response “it depends”, quickly followed by an explanation of why.
If this is the first time that you are reporting to the board, one priority is to establish the baseline. This means letting the board know what’s the maturity and comprehensiveness of the information security program, whether you have done a risk assessment or not, and whether you have formally assessed the program. Compare the performance of your program to other programs in similar organizations so board members can get a sense of relative performance. For example, if you have a maturity score of 1.5 out of a scale from 0 to 5, where zero is total chaos and five is highly documented and highly reputable processes, and the average score of other comparable organizations is 2.3, then you should share that you are not where you need to be followed immediately by your roadmap for addressing it.
Getting the backing of your executive team before you report to the board is vital. Failing to do this is most likely going to be a career limiting move. One of the most important lessons that I have learned is never to surprise my boss, and this is especially important if you are giving information to your boss’s boss, and your boss has not heard it first.
By Mark Silver, CJC Contributor