A panel of security professionals discuss the top three tips for how CISOs and risk officers can help improve board communication around security

CISOs and other executives are tasked with keeping the board of directors up-to-date on security-related matters. The board may not require granular details, but whether it's a report on the company's overall security posture, an analysis of the current threat landscape, an update to the organization's threat detection and response plan, or other broad policy matters, there's a lot to keep the board informed of. And when an organization is subject to regulations like PCI-DSS, SOX, HIPAA, or the GDPR, the board of directors may be hyper-vigilant and want more frequent updates on security and compliance issues to protect the organization's interests – and avoid costly consequences of non-compliance.

So, whether you're keeping the board informed of run-of-the-mill security concerns or providing detailed reports on how the company maintains regulatory compliance, improving board communication around security is a top concern for today's executives. To help you better communicate pressing security matters, we reached out to a panel of security leaders and asked them to answer this question:

"What are your top three tips for improving board communication around security?"

Meet Our Panel of Security Professionals:

Read on to learn what our pros had to say about improving board communication around security.

Jim Goepel

Jim Goepel is CEO and General Counsel for Fathom Cyber and an adjunct professor of cybersecurity at Drexel University’s Kline School of Law. He holds a BS in Electrical and Computer Engineering from Drexel University and a JD and LLM from the Antonin Scalia Law School.

"The top 3 tips for improving board communication around security are..."

Make issues relatable to the board. When you take my car in for repairs, you don’t really want the technician to tell you that the problem with your car is that one of the 100 microfarad capacitors in the control systems for a DNI 72552-series, Type A, 12-volt, high current relay seem to be bad. Instead, you want her to tell you that there is an electrical problem in the power steering system, that it will cost you $500 to repair it, and that if you don’t fix it, the car may lose steering when you’re on the highway. What that technician has done is to translate a highly technical issue into something that is relevant to you, the decision maker. They have told you the nature of the problem (electrical problem in the power steering unit), the business impact (loss of steering while on the highway), and the mitigation cost ($500). You, as the decision-maker, can now decide whether the risks warrant the cost, and where/how to prioritize this expense as compared to your other expenses. That’s the kind of information the Board needs. Learn more about the business. You are busy fighting fires every day. From criminals attacking the front gate, to phishing attacks that seek to jump your defenses, to users who make some very questionable decisions, your days are typically pretty full. But you need to find the time to learn more about what makes the business a business, and to keep doing this regularly, because the business’s priorities change. Ask to be invited to business planning meetings, including sales meetings. This will help you understand what the business, and especially the Board, considers to be a priority, and will help you to better understand how to frame the discussions mentioned above. Run tabletop exercises. Unfortunately, most people still take an “it can never happen here” approach to cybersecurity. Until it does. Rather than waiting for a real attack that disables your environment, stage a mock attack for the Board and C-suite. Let them see what issues can arise, and how additional funding in key areas could greatly improve the business’s response.

Given how busy most CIOs, CISOs, General Counsels, Risk Officers, and others in the cybersecurity field are, these ideas can be tough to implement. It is frequently better to have an outside consultant come in to help.

Steve Dickson

@Netwrix

Steve Dickson is an accomplished expert in information security, CEO of Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, CA.

"Security management (CIO, CSO, CISO, IT director) are those who must convey the importance of security to executive leadership in order to..."

Establish a solid security posture and ensure that company operates and grows in a risk-based way. To build strong communication with the boardroom, I advise them to consider the following tips.

Present security as a business enabler. When you explain the value of security initiatives, make sure to emphasize how they will affect the business. For instance, the VP of marketing won’t really care about data discovery and classification solution per se, but he will be happy to hear that it will help his team purge lost and unengaged leads, transform the bloated database into a lean, fine-tuned source of highly relevant leads that marketing must focus on. Take tech terminology out of the conversation. It is better to avoid technical terms and acronyms that non-IT leaders might not understand. Make sure that people do not need a degree in computer science to follow your reasoning and consider your opinion when making decisions. Develop 1:1 relationships. No doubt, it is important to initiate regular reports on security status to the boardroom. Many companies do it but it is not enough. By establishing informal personal relationships with key figures, you will gain even higher credibility and be better positioned to understand their concerns. Later on, you will be able to better tailor your projects to their actual needs.

James Doggett

@Panaseer_com

James Doggett is CISO and head of US operations at Panaseer. He joined Panaseer in 2017 and brings a wealth of experience to the role. James previously served as the Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente and Managing Director of JP Morgan Chase.

"Most security teams have presented information to the..."

Board of Directors, only to find out later that there was data missing for a key part of the company or it was otherwise not accurate. It’s tough to regain trust at that level once lost, and so it’s critical to build controls into the gathering, consolidation, enrichment and presentation of security-related data. You must have accurate and timely data to be relevant to the business and leadership.

Michael Figueroa

@ACSCorg

Michael Figueroa, CISSP, is the Executive Director of the Advanced Cyber Security Center, a non-profit organization that brings together industry, university, and government organizations to address advanced cyber threats. In addition to leading the ACSC, Michael has also managed teams securing large-scale systems integration efforts for U.S. Government agencies.

"The ongoing digital transformation we see across organizations in all sectors is..."

Creating more complexity and new challenges for institutions seeking to manage their cyber risk. In this dynamic cyber risk landscape, organizations must constantly adapt and improve their approaches – and so too should corporate boards if they are to be active governance partners in collaborative defense. Improving board communications on security will be a critical first step.

Key elements for improving board communications include:

Establish a strategic security governance role. The board’s role on cyber security should be risk-focused in the context of digital choices, with a broad understanding of cyber operations and without the distraction of too many operational details. Asking key security questions focused on understanding the cyber risks to the organization and specific assets at risk, assessing the organization's strategy to mitigate those risks relative to the value of those assets, and examining the organization's preparations for responding to a major cyber incident, would empower the board to make high-level decisions about risk and then step back and trust senior management to operationalize the strategy. Expand board-level cyber expertise to be more able to ask questions management hasn’t already thought of. Instituting a regular curriculum for board members helps ensure a baseline level of expertise across the board and would allow management to target their presentations more effectively. Also bringing in external cyber experts – consultants, independent auditors, etc. – into the management-board relationship to validate the organization’s current cyber security stance would be valuable for both building board-level expertise and modeling for board members the types of probing, difficult cybersecurity questions that they should be asking of senior management. Align cyber governance against corporate business structures rather than isolating it. Boards need a holistic and dynamic mental model of an organization’s cyber security responsibilities as it relates to how the organization executes its mission, with direct access to CISOs and risk officers. Joint collaborative presentations, such as between the CIO or CFO and the CISO, would present boards with an integrated and holistic picture of an organization’s security and operations in the context of the business. It also ensures that the entire senior management team is informed about cybersecurity initiatives and capable of answering questions from the board about how those initiatives will affect business strategy.

Rob Black, CISSP

@IoTSecurityGuy

Rob Black, CISSP, is the Founder and Managing Principal of Fractional CISO. He helps organizations reduce their cybersecurity risk as a Virtual CISO. Rob is the inventor of three security patents. He consults, speaks, and writes on IoT and security.

"Board members are busy executives..."

They don't have time to learn the language of cybersecurity. When presenting, cybersecurity leaders need to cognizant of the audience. Often what is presented is not easily consumable by non-security personnel. Here are three tips that I have used to help align board members and executives.

Use dollars and probability whenever possible. Telling a board member that you have a high risk does not put things in a proper context. Saying, we have a 5% chance of X happening with a ten-million-dollar consequence provides a much better chance of a good decision being made. Then the board members can ask questions about the assumptions and specifics around the consequences. You can have a productive conversation around what controls could be put in place to reduce the risk. Maybe you will even get funding to address the threat! Analogies are terrific for board members. Tying your recommendation to something concrete is a great way to get on the same page. There are often some complex concepts in cybersecurity. I often use gold in the castle analogies to simplify the discussion. Everyone can understand putting something valuable in a locked room in a castle guarded by knights and a moat. Threats, vulnerabilities and controls can be explained in this context. With an analogy you can more easily get alignment with your board. Don't use cyberspeak! Board members are typically very smart. But they can't be expected to learn a brand new language to be able to discuss cybersecurity. Many in our industry unfortunately use cybersecurity jargon in their everyday communication. Those that can translate cybersecurity terminology into common terms will have a much better chance of being successful.

Thomas G. Martin

@tmartinpi

Thomas G. Martin is the President of Martin Investigative Services.

"My top three suggestions are..."

1. Consistently, every four months, have electronic eavesdropping detection sweeps perform in the boardroom and adjoining offices.

2. Unplug all landline phones in the board/conference room during meetings.

3. Have floor phone rooms, where equipment is stored, checked and locked.

David Geer

@geercom

David Geer is a cybersecurity SME, and content producer for cybersecurity and technology companies and publications.

"To improve board communication around security, my top tips are..."

For long-lasting results, give the board less to remember and more reasons to do so. Target topics that matter to the board and get to the point. If funding a specific security product helps keep the company out of the news for data breaches, say that. If it saves the company X dollars, say that. If you need to support your recommendations, do it with language the board understands and information the board weighs heavily. If you can substantiate what you need to do, make sure they understand your evidence and what it means.

Catherine Allen

@SA_Program

Catherine Allen is the Chairman and CEO of Shared Assessments Program.

"My top 3 tips for improving board communication around security are..."

Speak about business models, strategy and goals, and do not use geek speak – do not use acronyms, or if you must, explain them;

Discuss your data governance policies and critical assets for the organization and why that should be the board’s focus - use the Protecting the Crown Jewels theory”; and

In presentations, consider using a dashboard with color coding to show exceptions and where special info is needed.

Christopher Gerg

@gwdatarecovery

Christopher Gerg is the Vice President of Risk Management at Gillware. He is a technical lead with over 15 years of information security experience. He is experienced in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.

"Keep your message focused on high-level risks and..."

Recommended response (a technical change, insuring against the risk, or simply assuming the risk), along with follow-on information regarding past risk response decisions. Boards of directors are used to speaking in terms of business risk assumed by making, or not making, a change or decision.

Do NOT get lost in the technical details. Most boards come from a business background and do not want or need the details unless they are relevant. They are also interested in your well-reasoned risk-based recommendation. Do not report a problem without a recommended solution, if possible.

Include budgetary information in your recommendations – both in terms of dollars and manpower.

Eden Gillott

@CrisisPRguys

Eden Gillott is president of a strategic communications firm, Gillott Communications, and is a former business professor. She’s the author of A Board Member’s Guide to Crisis PR, and has appeared in the LA Times, Wall Street Journal, NPR, the Washington Post, Forbes, Financial Times, and Business Rockstars.

"As a crisis manager, I see boards and executives struggle with this issue often..."

Don't ignore an issue or put it on the back burner. As a board member, it's your duty to take care of the organization. Speak up. If you sense something is amiss, don't wait hoping someone else will – they're likely thinking the same thing about you. Have a basic data breach plan in place beforehand. You can't plan for every possible outcome, but you can cover the basics. Form a team beforehand, designate a spokesperson, and know what you're going to say (and not say). Once a security incident happens, you don’t have time to run around trying to gather info and organize a team. If you're making decisions on the fly during a high-stakes situation, you're beginning the Universe to make the situation worse.

Drew Farnsworth

@data_good

Drew Farnsworth is a Partner in Green Lane Design.

"My top three suggestions for improving board communication around security are..."

Scare them - There has been a lot of vague worrying over the years around security but we are in the era when panic is appropriate. We do not have the GDPR in the US, but laws like that are coming. Companies will soon be liable for these lapses and will soon pay huge fines. You have to fill the cracks now so that your whole business doesn't get sunk when the time comes. Engage them - Show the fun examples from YouTube or online that really explain cybersecurity issues. XKCD's primer on password strength is a good start. Similarly, use a tool like Correct Horse Battery Staple to generate secure passwords. Support them - Bring board members into the equation by providing password managers, security solutions and encrypted messaging so that they are within the support system.

Jacob Dayan

@communitytaxllc

Jacob Dayan is the CEO and co-founder of CommunityTax and FinancePal.

"My top three recommendations for improving board communication around security are..."

Plan Meetings on the Subject in Advance - Plan a meeting to discuss some key points you wish to discuss and review. Plan everything in advance and give the board members a brief on what the contents and materials will be discussed. It's also a good idea to let the board invite whomever they would like or think should sit in on this meeting. Talk Business - If you have your own internal Chief Information Security Officer (CISO) or have an external agency handling your cyber security, the CISO or agency need to put themselves in the board's shoes. They should speak in terms that they can all understand and further explain things that they might not understand. Analyze Your Metrics - As with many business objectives, it's important to monitor progress and changes. Carefully select some metrics to measure and continually monitor as part of your ongoing security objectives. Present and discuss these metrics with the board.

Steve Durbin

@stevedurbin

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He has been ranked as one of the top 10 individuals shaping the way that organizations and leaders approach information security careers.

"Organizations of all sizes are operating in..."

A progressively cyber-enabled world and traditional risk management isn't agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling.

In the typical enterprise, the Board of Directors sits atop a hierarchy of executives, managers, teams, and processes. In the digital era, every part of this hierarchy relies on, interacts with, and supports the bottom line using cyber systems. Networks, computing and data are the lifeblood of virtually every modern organization. If you aren't paying attention to cyber security, you aren't engaged in the core operations you are tasked with directing.

Everyone says the board should be more engaged in cyber security, but what does that mean? For starters, it means requesting and receiving regular security briefings - and finding a way to ensure that you understand them. It means taking to heart that you, as a director, are responsible for overseeing data breach prevention. It means that you must passionately and continuously lead the charge to create a culture of security throughout your entire organization. You have to lead by example, and by constantly communicating and showing that cyber security best practices are a top priority. One of the core tenets of modern corporate responsibility is protecting the privacy and integrity of customers' data – does everyone in your organization fundamentally get that? If not, figure out how to cultivate that as a company-wide value.

Most importantly, Boards can engage by working actively and collaboratively with their senior executives – not just the CIO and CSO, but the entire C-suite and beyond - to make sure they are all working together, strategically and tactically, on cyber security and risk management programs.

Covering all the bases-defense, risk management, prevention, detection, remediation, and incident response-is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives. Board directors can provide more meaningful oversight if they understand the distinct role of each executive, how these roles are changing in the digital era, and where breaking down barriers and forging new paths could transform the enterprise response to both cyber challenge and opportunity.

Engaged boards and executives make better decisions about how to align business and security objectives to manage risk, protect brand reputation, and respond effectively to incidents. In the end, companies that prioritize well-equipped security programs and widespread security awareness are more prepared to grow, innovate, and compete.

Finally, I strongly recommend organizations establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of skilled security professionals, should be tasked with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. The Board should periodically review to ensure that comprehensive and collaborative recovery efforts can be executed in a timely fashion.

Aidan Simister

@aidansimister

Having worked in the IT industry for a little over 22 years in various capacities, Aidan is a veteran in the field. Specifically, Aidan knows how to build global teams for security and compliance vendors, often from a standing start. After joining Lepide in 2015, Aidan has helped contribute to the accelerated growth in the US and European markets.

"The three top tips we would recommend are..."

Appoint a Chief Data Officer (CDO). This allows a business to be more aware of what data they have and how they are using it, storing it and protecting it. Data should be a company's top priority. If it is used properly it contains all the information a business needs to streamline its processes and become more profitable. But if it is poorly managed it can be the downfall of the whole organization. Show security visual aids. Like reports that show progress towards security improvements and compliance. The board is very busy as is the CISO, using visual aids can quickly and effectively communicate current security procedures and requirements Use less tech jargon and more business related terminology. The board or not tech guys, but they need to understand what is happening. So finding a way to translate the tech jargon of security into a form that the board and easily understand and grasp is key.

Herb Brychta

@aeworksltd

Herb Brychta, PSP, CISSP is the AE Works Manager of Security Risk Management. He is a Physical Security Specialist with a background spanning anti-terrorism, operations, emergency management, physical security and IT. Having experience in military, federal, healthcare and commercial markets, he brings insights to shape security solutions that are balanced with operational needs and organizational culture.

"My top 3 tips for improving board communication around security are..."

Use the risk management process as a basis of communication. Security risk management is not that much different than any other business risk management process. Speak using these terms and require that your security department also use this language. Security risk is a product of assets (consequences), threats (probabilities), and vulnerabilities. Assets and consequence of their loss are better determined by boards and business unit leaders than security professionals. This variable is your input into security risk analysis and the foundation of the process. Poor input here leads to poor decisions later. Determining threats is another area where the input of C-Suite or board members is especially important. Competitor interest in organizational intellectual capital is just one example of where C-Suite or Board insight can greatly assist security professionals. Security professional expertise is needed to complete crime analysis and terrorist threat analysis to determine threats. When security fully understands your assets and the threats to those assets, only then can an organization’s vulnerability and overall risk be determined. If an asset has vulnerability to a present threat, then capital should be spent to mitigate that risk. If that chain of logic is not there, you should be critical of any request for expenditure. Periodically review security measures for relevance and overall impact. While this activity is a bit tactical for organizational leadership, there is a need for oversight as often support functions are consolidated and centralized in larger organizations. No security measure is free, and many security measures have unintended side effects. At times, measures impact operations to the point that employees will unintentionally create risk. For example, is your key control or badging process a pain? If so, an unintended consequence could be employees propping doors open and sharing badges, all of which completely invalidates your expensive access control system. Same goes for your network. If getting system access is a very onerous process, employees will find a way to be productive (password sharing, personal email) and that is not good. If these actions are going on in your organization, don’t be so quick to blame employees. Look at your processes and make sure your support staff are serving their internal clients appropriately. Have an honest conversation about why you are undertaking a specific security effort. Is it compliance or is an actual risk present? These are handled two different ways. For compliance, this security effort is needed for your business to operate, regardless of actual risk. Compliance requirements can come from a regulator, municipality, insurance company or even a client. If compliance is what you are after, get a courtesy inspection if possible. This will provide you with a checklist of what you need to do to achieve compliance and also reduce management time spent figuring it out. Having an initial assessment completed also greatly reduces the risk of getting something wrong come final inspection time. If you’re dealing with an actual risk to your business, that is something entirely different. You will need to use the risk management process briefly explained above to determine appropriate mitigation measures.

Stanley P. Jaskiewicz

Stanley P. Jaskiewicz is an attorney at Spector Gadon & Rosen, PC.

"My first tip would be to actually discuss security topics..."

That discussion means putting them on the board agenda, in advance, so that all board members and their staff can be invested in appropriate business planning for the meeting. Today, security cannot be left as a technical question for the IT manager. However, the holder of that position may never have been trained in the nuances of privilege, or had to confront the competitive reality of today’s marketplace (especially for law firms).

My second point is implicit in my first point. The professionals at the firm must be involved in board meeting preparation, and not delegate it entirely to the IT staff. Although security issues often can be technical, if they reach the board, they have become matters requiring professional judgment and discretion.

Finally, the board should set SMART goals for itself around security – specific, measurable, achievable, realistic and timely. A board resolution to have air-tight security by the end of the week is not only unrealistic, but flies in the face of common sense. Instead, be guided by the IT staff about what can be accomplished promptly and cost-effectively – and then decide what can (or cannot) be done, and at what expense. The only exception would be if a mission critical flaw must be corrected. If your firm’s licensing is at risk, or if your firm or its members could lose access to necessary information or markets, no expense can be spared in fixing it immediately.

Christopher P. Roach

@GreggGethard

Christopher P. Roach is the Managing Director, National IT Practice Leader at CBIZ Risk & Advisory Services.

"My top three tips for improving board communication around security are..."

Quantifying IT Risks – Quantifying breach impact using monetary amounts diminishes or altogether eliminates the cognitive biases that so often stand in the way when making decisions based on ambiguous color-coded heat maps. Using real numbers that are defendable and transparent paves the way for better communication between all parties. No more arguing over whether to implement a certain technology – just run the numbers and let them speak for themselves. Cyber Risk Economic Tools - Fortunately, there are common cyber risk measurement practices that provide executives with the information they need to make well-informed decisions. With cyber risk economics modeling tools, CISOs can put real numbers to cyber risks. Cyber risk economics can point to key risks and predict the financial impacts associated, such as, “the probability of losing more than $10 million due to security incidents in 2019 is 16 percent” or “if we implement these changes, we can reduce our cyber insurance coverage by $50 million.” Using the Right Metrics – When it comes to cybersecurity there is a focus on the technical metrics, such as: blocked traffic, transaction counts, failed logins, etc... Most of these metrics are not aligned with business objectives so business leaders can understand. Metrics need to be tied to business efficiency and dollars showing improvement over time and trending patterns demonstrating security effectiveness as it relates to the business.

Ian McClarty

@phoenixnap

Ian McClarty has over 20 years of executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services. PhoenixNAP employs a staff of over 600, operating in 9 locations worldwide.

"We live in a dangerous time where data breaches are commonplace, both due to external forces and human error..."

Boards, likewise, need to treat data security as a top priority maintain cyber defense. My top three tips are:

Make security the standard across all practices; that means putting protected in an encrypted secure environment. Data should be kept under tight control and accesses limited only to key individuals that are cleared to access them. Ensure that backup and disaster recovery plans and security policies are kept up to date to protect the information. Back up information as often as possible. Emphasize to personnel to encrypt emails that contain sensitive information across all correspondence. Vet your addresses to ensure that they are delivered to the right people. Update your passwords regularly and do not share them with any other person.

We owe it to ourselves as leaders to our employees and to our clients to ensure that sensitive and classified data is kept secure. Failing to maintain that standard across the board will have disastrous consequences.

Nathan Wenzler

@Moss_Adams

Nathan Wenzler is the Senior Director of Cybersecurity at Moss Adams. Nathan has been designing, implementing and managing solutions for IT and information security organizations since 1997.

"My top three tips for those who want to improve board communication around security are..."

Focus on fundamentals. Often, executive boards will approve funding for the latest and greatest technology solutions and drive the business toward adopting it, but at the same time, aren't approving time and resources to shore up the fundamental security controls they already own and have been trying to deploy. Make sure your security teams have the means to get things like endpoint security, system and event monitoring, vulnerability assessment, and other fundamentals in place as these are still the tools that will address the largest numbers of attack vectors we see today. Security isn't a technology function, it's a risk management function. Many executives believe that security teams are just offshoots of their IT department, and only deal with hacked servers and compromised email. The truth is, security professionals are far more than that, often dealing with legal, HR and business-specific areas of risk and are building strategies on how to mitigate those risks. Security isn't an obstacle, it's a tool for business empowerment. Many still believe that security does nothing more than say why we can't do something. Don't click on links in email. Don't surf to those websites. Don't share your password with anyone. And while these are things that your security team is probably telling you, they're also working on ways to automate methods to detect intrusions, building secure tunnels for data to move freely to your authorized users without them having to set anything up or configure software and much more. Security, when done right, can empower your business to move quickly and with the confidence that what your employees are doing is safe, secure and lets them focus on their own roles to better the organization.

Robin Lee Allen

Robin Lee Allen is a Managing Partner for Esperance Private Equity.

"My top three tips for improving board communication around security are..."

Don't accept 'no' for an answer. When we acquire companies, security risk jumps to the top of the list of business priorities, period. Be specific. Ominous vagaries are unlikely to move board members to action. Site examples and solutions to a specific problem. Be helpful. Do some research and know your stuff. Prepare short, comprehensible primers for board members to review.

Avani Desai

@AvaniDe

Avani Desai, President of Schellman & Company, LLC, is a global independent security and privacy compliance assessor.

"To improve board communication around security..."