Robinson+Cole has the distinct pleasure to host the CISO Executive Network in Hartford and Boston. It is an opportunity to hang out with Chief Information Security Officers (CISOs), develop relationships with them, discuss commonality in the issues they experience, and collaborate on different strategies to address their concerns.
This week the meetings centered around effective ways to report cybersecurity progress to your leadership Board. As one who frequently presents to Boards, educates Boards and is on several Boards myself, and despite the fact that this was not the first time I have attended a session discussing the gap between information security and the Board, it was a great conversation. The following are 10 takeaways that I thought I would share:
- Assess honestly whether you are the right person to report to the Board. If you are not a good speaker or have a difficult time focusing or connecting with a group, recruit someone more effective to report to the Board. Keep to your strengths.
- During your first time reporting to the Board, tell them your qualifications to garner respect and their attention.
- Pick one to two topics, don’t get too detailed, and stay focused.
- Provide a general assessment of cyber progress, then discuss your chosen topic(s).
- Stay positive and refrain from always reporting on doom and gloom.
- Don’t get too far in the weeds and don’t get too techy—if you see Board members’ eyes wandering or glazing over, you are losing them.
- If you are reporting on an incident or a strategy to respond to a weakness or vulnerability, provide a synopsis of what happened or what needs improvement, what you are doing to respond to it or improve it, and that you will keep them advised of progress.
- Don’t throw your boss under the bus.
- Consider using easy to read dashboards or other ways to provide a synopsis.
- Consider turning open and unfilled staff positions to provide support for other needs, such as an analysis of vendors and tools that could save the company money.
Boards know that cyber risk is a top priority, read about it in the news, and are afraid the organization will be the next one to suffer a breach. Understand that they usually don’t have a technical background, so keep the technical discussions simple. Focus on cyber risks and your strategy for managing it. Above all, get in the Board room, develop relationships with your Board members and involve them in solutions.