Do you remember the time when security professionals were just a tiny part of an IT group? Today, they have evolved as members of executive leadership teams. Chief Information Security Officers (CISOs) and other security leaders play an essential role in an organization. Managing cyber risks has become one of the critical focus areas.
But a CISO’s role doesn’t end there.
A CISO needs to meet their board’s expectations, communicate effectively with them, and earn their trust. What’s the best approach?
In episode 5, Trust vs. The Board, the HITRUST team discusses these approaches with their guests, Christopher Hetner and Dr. Kevin Charest. Hetner is a Cyber Risk Advisor at the National Association of Corporate Directors (NACD) and serves the board at several other organizations. Dr. Charest is the Executive Vice President and Chief Technology Officer (CTO) at HITRUST with experience in serving as a CISO at other organizations.
Here are some key learnings from their conversation. For the whole discussion, listen to the episode on your favorite podcast streaming platform.
1. What is the board looking for?
Board members see you as a cybersecurity expert and seek to learn from you. But they also want you to earn their trust.
Of course, the board wants you to excel at your job and keep the organization away from cyber risks. They’re aware that you understand the threat landscape. But what about the business landscape? Communicating with the board is an excellent opportunity to showcase your understanding, plans, strategies, and tactics.
2. How should CISOs communicate with the board?
Cybersecurity is important. But as a CISO, how do you articulate it to the board?
According to the Forbes Technology Council report, 90% of companies in the Russell 3000 do not have a single director with cyber expertise. This means board members may not fully comprehend technical complexities.
Cybersecurity takes a significant portion of your organization’s investments. It is critical to communicate the importance of this investment to the senior level. To gain the board’s attention, make the communication business-oriented. Explain how robust security measures can impact business development. Carve a place for cybersecurity in key business goals.
Encourage transparency. When you detect that your organization is missing some core cybersecurity hygiene, inform the board immediately. Hire an outsider who can evaluate your cybersecurity measures and help you present concrete reports to the upper management.
3. How should CISOs earn the trust of the board?
You’re doing everything to create the best cybersecurity posture for your organization. You have robust programs in place. You’re conducting mock drills and offering training programs. If a cybersecurity event occurs, your organization is ready to face it.
But that’s not enough to earn the trust of the board.
The board is looking for outcomes and achievements. In a business meeting, a sales executive may show they are meeting their goals by selling 500 products monthly. But how can you quantify security?
Invest in a reliable assurance like HITRUST to assess your cybersecurity program and earn the board’s trust. HITRUST evaluates emerging threats and assesses your organization’s security controls based on what’s essential. HITRUST certifications are widely recognized and help to amplify business opportunities.
Key takeaway
As a CISO, when you talk to the board using technical cybersecurity terminologies, you lose its attention. Your focus is solutions and technologies, but the rest of the organization needs to hear outcomes and see business impacts. To communicate effectively, talk to the board in their language. Build a coherent cyber risk narrative that helps the board make informed business decisions.
To learn more from experts, listen to the full podcast episode.