More than ever before, chief information security officers (CISOs) now find themselves in front of the board of directors, detailing the security incidents, issues and solutions that affect the business. For those not accustomed to it, presenting to the board can be a difficult experience, one in which they want to impart all the necessary information without wasting anyone's time. On top of the business reasons for understanding how to best present information, this experience is also important for the CISO on a personal level as it can define how the board views them.
For those CISOs struggling with how to present before a board of directors, a new survey has some insight into what business leaders are looking for. "Cybersecurity in the Boardroom," a survey conducted by the NYSE Governance Services in partnership with Veracode, asked 200 board members about their views on cybersecurity. One aspect of the report focuses on CISOs presenting to the board and exactly what kind of information the board looks for. While the entire report is beneficial for any CISO, focusing on this section will provide valuable insight into how CISOs can get the most out of the handful of minutes spent with these business leaders.
High-Level Security Strategy Descriptions
Responsibility for security incidents now goes up to the highest levels of management. If an incident occurs, the public may call on members of the C-suite or the board to discuss the incident and explain why it happened. Members of the board are therefore more invested than ever in understanding exactly what protects their systems, as evidenced by the 33 percent of respondents who selected "high-level strategy description" as their preferred method of receiving communication on overall system security.
Members of the board may not understand the technical details, but if the CISO is a good communicator with a reasonable level of business acumen, providing a high-level description of the security solutions, protocols and policies should impart enough information to satisfy the board without confusing or boring them with technical minutiae.
For boards who don't understand or want a high-level detail of the security strategy, there are other ways to express an organization's security status. The use of metrics is a good way to take information that can be difficult to understand and transform it into easily quantifiable information that the board will readily grasp.
These metrics can cover risk benchmarks compared against the whole of information security, as well as the organization's specific industry, to provide the board with the most relevant data. Metrics should also be tracked over time to allow the board to see how the situation has changed in the recent past. When the metrics are carefully built — and aren't cherry-picked for positive-looking results — they provide the board with real insight into how secure the business currently is.
Other Useful Considerations
High-level descriptions and risk metrics are the presentation methods preferred by the majority of boards, but there were a few other methods, coming in at about 10 percent each, that CISOs should know about. Eleven percent of board members were also interested in their enterprise's security and risk posture when compared to peers within the industry. This goes deeper than most risk metrics, taking intangibles into account as well.
Other board members (11 percent) wanted a deep description of the security technologies themselves. This is likely more common in high-tech industries, where members of the board are more likely to be able to grasp the core details of a technology solution.
Finally, 9 percent of respondents wanted to know the audit and compliance statistics. When audits are built properly, these numbers can be very helpful in understanding a business's overall security situation. However, if generic compliance and audit tools are utilized, these results can be practically useless. CISOs should have the security team spend time customizing their audits and compliance reports before reporting compliance numbers to the board, and ensure the board understands that generic industry compliance is simply not good enough.
Focusing on these areas before presenting to the board will provide CISOs with a significant advantage. By building an understanding of exactly what business leaders are looking for, CISOs can tailor their message to both get their point across regarding the enterprise's security and to improve their standing in the eyes of those who run the business.
Photo Source: Flickr