Chief information security officers (CISOs) need to better communicate strategies and initiatives to board members, according to the Kudelski Security Customer Advisory Council's report, out Tuesday. The group used industry surveys, focus groups, and individual interviews to locate the disconnect between CISOs and non-technical executives.
Overall, their research found that board members lack experience in cybersecurity business strategy, making for confusion when a lot of high-tech terms are thrown their way. Meanwhile, CISOs said they don't feel like board members are on their side, and that they try to pick out their faults instead of successes, said the report.
To get over this hurdle, the Kudelski Advisory Council—comprised of experienced enterprise CIOs and CISOs—offers advice to create a better line of communication with board members. The council first advises CISOs to become familiar with their board members, in terms of their backgrounds, experiences, and job responsibilities. If CISOs understand their boards and what tech knowledge they hold, then they will be better able to communicate with them, said the report.
Then, CISOs can create presentations that best fits their board, whether they are visual or auditory, said the report. You can use this to educate your board members on tech concepts and terms that may be confusing. You can also incorporate relevant metrics that highlight the successes of your current cybersecurity program, explained the report. Metrics and facts are also key to include, as concrete pieces of evidence that will help assure board members that your security program is doing well.
Upon instilling a sense of confidence in your security program, CISOs should also offer up ways to improve. The report emphasizes a focus on context, providing comparisons of your business's cybersecurity practices with those of other companies. Align your cybersecurity efforts with the efforts of your business, said the report.
At the end of the day—or meeting, that is—the goal for CISOs is to create a well-rounded story for the board. The story outlines your current cybersecurity strategies: How they are working, how they compare to other companies, how they will improve, and ultimately, how they will protect your company.