What are some common challenges any new CISO should be prepared for when it comes to engaging and educating their board on cybersecurity?
Sort By:
Oldest
CIO in IT Services23 days ago
This is a complex issue that could easily take hours to fully discuss. The role of the CISO has evolved significantly, and not necessarily for the better. Due to SEC cybersecurity disclosure rules, the liability for cybersecurity incidents now heavily falls on the CISO. As a result, many experienced CISOs are leaving their positions because they are unwilling to face the potential legal consequences for incidents that may occur due to a lack of investment or support from their companies.The SEC rules requires that the board be aware of cybersecurity and incident response, but they stop short of mandating that a CISO be on the board. This has led to a trend where companies are promoting SecOps managers to head of security roles, often without the necessary experience. These individuals are typically less expensive but lack the comprehensive understanding needed for effective incident response and board communication.
The market is now saturated with inexperienced CISOs who often seek mentorship from seasoned professionals. However, these new CISOs often struggle with board communication because they lack the depth of experience required to translate technical metrics into business impact. They might present data on the number of attacks or their origins, but fail to convey how these incidents affect the company’s operations and bottom line, which is what the board truly cares about.
Senior Information Security Manager in Software23 days ago
Yes, I have observed SecOps managers taking the lead in incident response efforts. In my experience, if you take all of the laws, regulations, and combine them, you will find about an 80-85% overlap. The key point is to have a robust security program in place, which allows you to handle any new regulation effectively. It's like driving in different cities; once you know how to drive, you just need to adapt to local nuances. Similarly, a good security program can accommodate new regulations without needing radical changes. People often get nervous about new regulations, but most new requirements can be integrated into an existing well-structured security program.
Director of IT in Healthcare and Biotech23 days ago
One key thing for CISOs is to understand their audience before engaging with them. Effective communication about cybersecurity involves knowing the organization's history and previous experiences. This understanding is crucial, especially for new CISOs, as it helps them communicate more effectively and address challenges better.CIO in IT Services23 days ago
The main advice is to keep it simple and concise. Avoid technical jargon. It's also beneficial to consult with General Counsel or your legal team beforehand. They usually provide valuable guidance and help CISOs stay on track. If you've been to a board meeting and haven't been invited back, it's likely because you were too verbose. Keep your responses brief and to the point, unless asked to elaborate. Even then, keep it short, simple, and easy to understand without delving into too many details.
On engagement front (depends upon your air time) but if its between 15-20 mins:
1. It should never start with risks, gloom and doom. Specify good that's been accomplished. Stuff happened (that's in the news) but how you remain unaffected because of what you're doing right. Mention that "we need to further sustain it by doing (a) and mature ourselves."
2. Mention some initiatives that brought about increase in compliance posture (to safeguard against fines/penalties) and / or made customer side processes resilient and/or increased their trust in your organisation's e-services.
3. Lastly, it could be cyber threats that's in the news since you last met them. Where do you stand in terms of our exposure and peers (if metrics are available). Which business processes are most exposed (not the software/applications)? mention that you propose (x) for short term to mitigate the risk and it cost us $y while you work on long term solution.
The above 3 points, if executed correctly, will cover aspects of both engagement and education. Try not to use too much text in powerpoint but keep the meat for voice over.