Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

01:00 PM
Connect Directly
E-Mail vvv

Actionable Tips for Engaging the Board on Cybersecurity

Up your game with your company's board of directors to help them understand your cybersecurity priorities.

There's never been a tougher time to be a chief information security officer (CISO). Since the onset of COVID-19 in March 2020, cyberattacks are up by 92%, and the average data breach now costs $3.86 million, according to IBM and the Ponemon Institute. Still, many CISOs find themselves struggling to engage their board members on cybersecurity priorities.

Generally speaking, there has been a lack of technology leadership on boards of directors. It's beginning to change, but it's important for CISOs and chief information officers (CIOs) to understand that they most likely will be starting cybersecurity and IT conversations with the board with the basics. They need to be prepared to build a foundation of education and understanding with board members on both cybersecurity challenges and technology solutions. When a board member sees a competitor's massive breach and asks, "I just saw this ransomware attack in the news — can it happen to us?" the trust you previously established as an expert can help accelerate the discussion on potential risks and an action plan.

Related Content:

How to Boost Executive Buy-In for Security Investments

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

I recently attended a meeting with the AttackIQ Informed Defenders Council where cybersecurity leaders discussed challenges and solutions for building better engagement between CISOs and board members on cybersecurity, and a number of key themes emerged. The Council is a security-leader forum for sharing transformational technologies, organizational skills, and defense best practices to improve security program effectiveness and efficiency, and I am a founding member.

Actionable Tips for Building Board Rapport
A simple, yet powerful, approach to building rapport is holding one-on-one meetings with board members. Schedule meetings with each member to give them an understanding of where your cybersecurity program is today and the journey you want to take to get to a proactive, threat-informed cyber-defense strategy. Post COVID-19, when meetings are in-person again, look for opportunities to connect and converse with board members at dinner the night before the meeting, during breakfast, and over coffee breaks. Your goal is to break down the "wall of mystery" that some members feel about security practices.

Start by remembering how invested the board member is in the company's success; in some cases, they've helped grow the company from an idea to the mature organization it is today. Help them understand what translates from your cybersecurity program to the business model, rather than a technology-only discussion. Clearly lay out the biggest risks, negative consequences, and threats that could do the most damage to your organization. Be proactive about assessing risk to the business at large. Ask the board member about their top concerns and share the top 10 cyber-risks that you see facing the organization. Help them understand that phishing is not the only risk to the company. Show them that their data and customer data are also at risk.

Watch Your Language
Use a common lexicon of terms at the beginning of the relationship. For example, are they familiar with the MITRE ATT&CK framework? If not, describe it in one sentence: It is a framework of known adversary tactics, techniques, and common knowledge, a kind of periodic table that lists and organizes malicious actor behavior in an accessible, user-friendly format, giving everyone in the security community a single tool to discuss and test against adversary activities.

What other concepts can you introduce in simple language? Are there events that might resonate with them? Are they familiar with how the Russians conducted a cyber-influence operation on the 2016 US presidential election or how the Chinese government allegedly stole Joint Strike Fighter data from a defense contractor? Create easily digestible content for them about hostile attackers, what they do, and how teams defend against them effectively. This will help you build a common foundation for moving forward as you discuss new threats, technologies, and security concepts.

Show and Tell
As a member of multiple public boards, I appreciate receiving concise, targeted articles and case studies to read or watch before meetings. In cybersecurity, tabletop exercises are also often illuminating. Why not show your members what a major ransomware attack looks like and use an exercise as a chance to talk about difficult choices the company may face in the event of an attack: How much would we pay if we were breached by a ransomware attack? 

Many boards don't realize that their company's attack surface has grown and that the risk of an attack is exponentially higher than in the past. Tell the board when you stop an intruder from moving laterally. Send them quarterly reports describing lessons you have learned from your tabletop exercises and outlining progress you have made (and plans you have) for improving your security program effectiveness. 

You can also leverage breaches that happen to competitors to learn what to do — and not do — in a situation. Talk openly about budget impacts and how to make the most of your limited resources. There are new security optimization platforms available that can help you speak confidently about where you may be overinvesting and where you are getting the right quality from your team, processes, and technologies. 

Be Ready to Pivot
Lastly, be ready to pivot your architecture to be more competitive on the other side of the pandemic. Look for opportunities to accelerate your security program during COVID-19. Many teams have been able to speed up innovation, particularly around remote working for positions that previously weren't thought possible outside the corporate office.

For many companies, security is transforming from being a business blocker to an enabler. Remember, diamonds are made under pressure, so make sure to use accelerating threats as an opportunity to harden your defenses and shine.

Virginia Gambale is a current board member of JetBlue, Nutanix, Virtu Financial, First Derivatives, and Regis and a technology advisor and investor with deep domain expertise in financial services, business services, and consumer sectors. Additionally, she serves as a ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...