Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

01:00 PM
Connect Directly
E-Mail vvv

Actionable Tips for Engaging the Board on Cybersecurity

Up your game with your company's board of directors to help them understand your cybersecurity priorities.

There's never been a tougher time to be a chief information security officer (CISO). Since the onset of COVID-19 in March 2020, cyberattacks are up by 92%, and the average data breach now costs $3.86 million, according to IBM and the Ponemon Institute. Still, many CISOs find themselves struggling to engage their board members on cybersecurity priorities.

Generally speaking, there has been a lack of technology leadership on boards of directors. It's beginning to change, but it's important for CISOs and chief information officers (CIOs) to understand that they most likely will be starting cybersecurity and IT conversations with the board with the basics. They need to be prepared to build a foundation of education and understanding with board members on both cybersecurity challenges and technology solutions. When a board member sees a competitor's massive breach and asks, "I just saw this ransomware attack in the news — can it happen to us?" the trust you previously established as an expert can help accelerate the discussion on potential risks and an action plan.

Related Content:

How to Boost Executive Buy-In for Security Investments

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

I recently attended a meeting with the AttackIQ Informed Defenders Council where cybersecurity leaders discussed challenges and solutions for building better engagement between CISOs and board members on cybersecurity, and a number of key themes emerged. The Council is a security-leader forum for sharing transformational technologies, organizational skills, and defense best practices to improve security program effectiveness and efficiency, and I am a founding member.

Actionable Tips for Building Board Rapport
A simple, yet powerful, approach to building rapport is holding one-on-one meetings with board members. Schedule meetings with each member to give them an understanding of where your cybersecurity program is today and the journey you want to take to get to a proactive, threat-informed cyber-defense strategy. Post COVID-19, when meetings are in-person again, look for opportunities to connect and converse with board members at dinner the night before the meeting, during breakfast, and over coffee breaks. Your goal is to break down the "wall of mystery" that some members feel about security practices.

Start by remembering how invested the board member is in the company's success; in some cases, they've helped grow the company from an idea to the mature organization it is today. Help them understand what translates from your cybersecurity program to the business model, rather than a technology-only discussion. Clearly lay out the biggest risks, negative consequences, and threats that could do the most damage to your organization. Be proactive about assessing risk to the business at large. Ask the board member about their top concerns and share the top 10 cyber-risks that you see facing the organization. Help them understand that phishing is not the only risk to the company. Show them that their data and customer data are also at risk.

Watch Your Language
Use a common lexicon of terms at the beginning of the relationship. For example, are they familiar with the MITRE ATT&CK framework? If not, describe it in one sentence: It is a framework of known adversary tactics, techniques, and common knowledge, a kind of periodic table that lists and organizes malicious actor behavior in an accessible, user-friendly format, giving everyone in the security community a single tool to discuss and test against adversary activities.

What other concepts can you introduce in simple language? Are there events that might resonate with them? Are they familiar with how the Russians conducted a cyber-influence operation on the 2016 US presidential election or how the Chinese government allegedly stole Joint Strike Fighter data from a defense contractor? Create easily digestible content for them about hostile attackers, what they do, and how teams defend against them effectively. This will help you build a common foundation for moving forward as you discuss new threats, technologies, and security concepts.

Show and Tell
As a member of multiple public boards, I appreciate receiving concise, targeted articles and case studies to read or watch before meetings. In cybersecurity, tabletop exercises are also often illuminating. Why not show your members what a major ransomware attack looks like and use an exercise as a chance to talk about difficult choices the company may face in the event of an attack: How much would we pay if we were breached by a ransomware attack? 

Many boards don't realize that their company's attack surface has grown and that the risk of an attack is exponentially higher than in the past. Tell the board when you stop an intruder from moving laterally. Send them quarterly reports describing lessons you have learned from your tabletop exercises and outlining progress you have made (and plans you have) for improving your security program effectiveness. 

You can also leverage breaches that happen to competitors to learn what to do — and not do — in a situation. Talk openly about budget impacts and how to make the most of your limited resources. There are new security optimization platforms available that can help you speak confidently about where you may be overinvesting and where you are getting the right quality from your team, processes, and technologies. 

Be Ready to Pivot
Lastly, be ready to pivot your architecture to be more competitive on the other side of the pandemic. Look for opportunities to accelerate your security program during COVID-19. Many teams have been able to speed up innovation, particularly around remote working for positions that previously weren't thought possible outside the corporate office.

For many companies, security is transforming from being a business blocker to an enabler. Remember, diamonds are made under pressure, so make sure to use accelerating threats as an opportunity to harden your defenses and shine.

Virginia Gambale is a current board member of JetBlue, Nutanix, Virtu Financial, First Derivatives, and Regis and a technology advisor and investor with deep domain expertise in financial services, business services, and consumer sectors. Additionally, she serves as a ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...