Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Transforming CISOs Into Storytellers

Faced with chilling new SEC rules, chief information security officers are learning soft skills to help them better communicate cybersecurity concerns with the C-suite.

4 Min Read
Source: Panther Media GmbH via Alamy Stock Photo

In an era when chief information security officers (CISOs) can potentially face fraud charges following a security incident, it's more important than ever that they develop good relationships with C-suite executives and corporate boards. Strong relationships with CEOs, chief financial officers (CFOs), and board members can help CISOs make a stronger case for cybersecurity efforts within their organizations, potentially insulating them from taking the fall when things go wrong.

With new US Securities and Exchange Commission (SEC) rules on reporting material breaches, conversations about cybersecurity at the board and C-suite levels have changed in the past year, says Jason Lee, CISO at cybersecurity and data analysis vendor Splunk. The company's "The CISO Report" found that more than 90% of CISOs are now regularly attending board meetings.

Board members, CEOs, and other executives are also more interested in hearing about an organization's holistic security program than simply checking compliance boxes. Their focus includes the return on investment (ROI) of cybersecurity purchases and the level of cyber insurance their enterprise needs, Lee adds.

This new era of regular interaction requires a new skill set, says Lane Sullivan, CISO of Magellan Health. Instead of a laser focus on the technologies and practices that enable strong cybersecurity, the CISO also needs to have the soft skills necessary to explain the organization's security needs to people with limited technical expertise.

"The tools in the toolbox change for CISOs," Sullivan says. "Not only do you have to be a good storyteller, but you have to be able to communicate to different audiences. And you still have to talk technically with your IT counterparts."

The Storytelling CISO

Conversations with the board are turning away from compliance and focusing instead on resiliency and the impact of cyber threats, as board members and C-suite executives seem more focused on risk than they have in the past, Sullivan says.

The CISO as a storyteller is important because the same old slideshows illustrating the latest data breaches in the news may not hold their colleagues' interest, Lee adds. Board members are increasingly asking about the relevance of this news to their organizations, and CISOs must be ready to clearly explain complex topics, such as how a breach at a company that has a business relationship with a vendor may create a huge risk.

"Being able to show those business contexts, like the ROI of security investments, is a huge thing that we need to focus on, and CISOs don't normally spend a lot of time on presenting and trying to be on that storytelling side," Lee says. "That soft skill side is one area that we've got to continue to invest in."

With the new SEC rules, boards need to be actively involved with CISOs following a breach, Lee says, adding that the two groups should engage in discussions involving whether the breach was material and what information should go in the 8-K and 10-K reports to the SEC. Boards should also increasingly interact with CISOs about the decisions being made following a breach.

"The board is going to want to know, 'How did you determine materiality on this?'" Lee says. "'Are you going to be sharing this with investors?'"

While the SEC rules put CISOs in the legal crosshairs, the new regulations are also driving better communication between board members and CISOs, Lee adds.

Forming a Direct Connection

In the past couple of years, many corporate boards have formed cybersecurity committees to develop expertise among a subset of board members. These committees give CISOs more face time with board members. Instead of 15 minutes with the audit committee every quarter, a CISO might now spend 90 minutes with the cybersecurity committee.

"By having board members who are dedicated, and then having a specific session every quarter on cybersecurity, you're starting to see more cyber experience of [board] experts and just more depth than a couple of years ago," Lee says.

While direct access to board members can be beneficial to CISOs, Lee says it can be equally as helpful for them to have a good relationship with the CEO, chief information officers (CIOs), or another executive who will also make the case for cybersecurity with the board. The CISO's ability to do the job well depends on full buy-in from the board and top executives, and cybersecurity advocacy can come from multiple voices.

The good news for CISOs is that organizations are elevating the position within their corporate structures. Splunk's report found 47% of surveyed CISOs report directly to their CEOs, instead of through layers of management; Lee says he had originally expected the percentage to be lower. The report found 40% of CISOs reporting to CIOs — a more traditional approach — with another 5% reporting to CFOs and 4% reporting to chief operating officers.

The level of communication between CISOs and boards correlates to the level of cybersecurity maturity at an organization, Sullivan says.

"A direct connection with a CISO can mean a lot of different things, involving a lot of different people," Sullivan says.

About the Author(s)

Grant Gross, Contributing Writer

Grant Gross is a long-time tech policy reporter, most recently serving as Washington correspondent and senior editor at IDG News Service. Since 2003, he’s written about topics such as net neutrality, electronic surveillance, cybersecurity, and digital copyright legislation. He’s also a former managing editor at, and in a past life, he covered school board and county commission meetings for newspapers in the Dakotas and Minnesota. More information can be found a.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights