There's never been a tougher time to be a chief information security officer (CISO). Since the onset of COVID-19 in March 2020, cyberattacks are up by 92%, and the average data breach now costs $3.86 million, according to IBM and the Ponemon Institute. Still, many CISOs find themselves struggling to engage their board members on cybersecurity priorities.
Generally speaking, there has been a lack of technology leadership on boards of directors. It's beginning to change, but it's important for CISOs and chief information officers (CIOs) to understand that they most likely will be starting cybersecurity and IT conversations with the board with the basics. They need to be prepared to build a foundation of education and understanding with board members on both cybersecurity challenges and technology solutions. When a board member sees a competitor's massive breach and asks, "I just saw this ransomware attack in the news — can it happen to us?" the trust you previously established as an expert can help accelerate the discussion on potential risks and an action plan.
I recently attended a meeting with the AttackIQ Informed Defenders Council where cybersecurity leaders discussed challenges and solutions for building better engagement between CISOs and board members on cybersecurity, and a number of key themes emerged. The Council is a security-leader forum for sharing transformational technologies, organizational skills, and defense best practices to improve security program effectiveness and efficiency, and I am a founding member.
Actionable Tips for Building Board Rapport
A simple, yet powerful, approach to building rapport is holding one-on-one meetings with board members. Schedule meetings with each member to give them an understanding of where your cybersecurity program is today and the journey you want to take to get to a proactive, threat-informed cyber-defense strategy. Post COVID-19, when meetings are in-person again, look for opportunities to connect and converse with board members at dinner the night before the meeting, during breakfast, and over coffee breaks. Your goal is to break down the "wall of mystery" that some members feel about security practices.
Start by remembering how invested the board member is in the company's success; in some cases, they've helped grow the company from an idea to the mature organization it is today. Help them understand what translates from your cybersecurity program to the business model, rather than a technology-only discussion. Clearly lay out the biggest risks, negative consequences, and threats that could do the most damage to your organization. Be proactive about assessing risk to the business at large. Ask the board member about their top concerns and share the top 10 cyber-risks that you see facing the organization. Help them understand that phishing is not the only risk to the company. Show them that their data and customer data are also at risk.
Watch Your Language
Use a common lexicon of terms at the beginning of the relationship. For example, are they familiar with the MITRE ATT&CK framework? If not, describe it in one sentence: It is a framework of known adversary tactics, techniques, and common knowledge, a kind of periodic table that lists and organizes malicious actor behavior in an accessible, user-friendly format, giving everyone in the security community a single tool to discuss and test against adversary activities.
What other concepts can you introduce in simple language? Are there events that might resonate with them? Are they familiar with how the Russians conducted a cyber-influence operation on the 2016 US presidential election or how the Chinese government allegedly stole Joint Strike Fighter data from a defense contractor? Create easily digestible content for them about hostile attackers, what they do, and how teams defend against them effectively. This will help you build a common foundation for moving forward as you discuss new threats, technologies, and security concepts.
Show and Tell
As a member of multiple public boards, I appreciate receiving concise, targeted articles and case studies to read or watch before meetings. In cybersecurity, tabletop exercises are also often illuminating. Why not show your members what a major ransomware attack looks like and use an exercise as a chance to talk about difficult choices the company may face in the event of an attack: How much would we pay if we were breached by a ransomware attack?
Many boards don't realize that their company's attack surface has grown and that the risk of an attack is exponentially higher than in the past. Tell the board when you stop an intruder from moving laterally. Send them quarterly reports describing lessons you have learned from your tabletop exercises and outlining progress you have made (and plans you have) for improving your security program effectiveness.
You can also leverage breaches that happen to competitors to learn what to do — and not do — in a situation. Talk openly about budget impacts and how to make the most of your limited resources. There are new security optimization platforms available that can help you speak confidently about where you may be overinvesting and where you are getting the right quality from your team, processes, and technologies.
Be Ready to Pivot
Lastly, be ready to pivot your architecture to be more competitive on the other side of the pandemic. Look for opportunities to accelerate your security program during COVID-19. Many teams have been able to speed up innovation, particularly around remote working for positions that previously weren't thought possible outside the corporate office.
For many companies, security is transforming from being a business blocker to an enabler. Remember, diamonds are made under pressure, so make sure to use accelerating threats as an opportunity to harden your defenses and shine.