How CISOs Can Talk to the Rest of the Board About Data Security
Originally posted on Lepide by Aidan Simister.
We all know by now that cybersecurity isn’t just an IT problem. The dramatic effects a data breach can have on an organization, in terms of both reputation and damages from non-compliance, mean that everyone from the CMO to the CEO needs to be concerned about data security.
One of the biggest problems organizations face is that their employees, particularly those with elevated privileges, mishandle data (most of the time unintentionally). The route of this problem often stems from a lack of awareness surrounding the latest cybersecurity threats and the consequences of mishandling sensitive data.
There is a significant gap between those with cybersecurity at the forefront of their mind (i.e. the CISOs and security teams) and the rest of the board/organization. In many cases, CISOs often have difficulty explaining data security even to the CEOs themselves.
This is a knowledge and understanding gap that needs to be bridged if we have any hope of reducing the number of insider threats that we see each year.
But where do we start?
Understand Where the Rest of the Board is Coming From
In a nutshell, it’s all about empathy.
One of the biggest challenges of being a CISO is presenting data security findings and risk mitigation strategies to the rest of the board in a way that they understand. Each member of the board is coming at the problem from their own unique perspective so, in effect, the CISO has to translate the information into a different language for each individual.
Take the CEO as an example. The main concerns for CEOs are how to grow the business and ensure that the lights stay on. So, when it comes to cybersecurity, they are unlikely to care that you’ve noticed an unusually large number of failed logins over the last few days. They want to know the whole picture, and how it relates to the business in terms of financials.
The key to appealing to the rest of the board is to cite the bigger picture. Stick to the following:
- Let everyone know the results of your most recent risk assessments in terms they will understand. So, in simple terms, are we at risk right now? What’s are the chances of us suffering a data breach right now and how much would it cost?
- Go through your current cybersecurity strategies and policies in broad terms. Are you able to cope with a data breach? How long would it take you to recover? How much would it cost?
- Explain what you need to get your job done more effectively. What cybersecurity training should you invest in? What data security solutions should you choose? How are you going to ensure that the company doesn’t lose money as a result of a data breach?
Be Functional, Not Technical
Nobody likes technical jargon, not even CISOs. There’s no quicker way to lose someone’s attention than by talking in technical detail. Keep conversations purely business focused. Talk in terms of risk, consequences, and benefits.
For example, it’s no use trying to explain to the rest of the board how important it is that they regularly update their passwords and improve the strength of their passwords. They may understand the reason why you’re talking about it but it’s still not likely to change behavior. Talk instead about the business impact of not adhering to those policies (particularly in terms of the monetary backlash that could arise).
Remember, cybersecurity is a business problem, not an IT problem. It is the CISOs responsibility to ensure that they are communicating effectively with the rest of the board when it comes to data security.