The CISO has finally made it to the board level – now what?

Image credit: sirtravelalot /

As an industry, we now have a plethora of high profile breaches that we can point to when we discuss the impact of not taking security seriously enough. From Home Depot and Target to Sony Pictures and Yahoo, the list goes on.  When names like Wannacry and Mirai become water-cooler conversation, well that says something. If there is any upside to all this, it’s that the role of the Chief Information Security Officer (CISO) has finally been accepted at the board level.

According to an article in the Deloitte Review, the more traditional role of the CISO was focused on monitoring, repelling, and responding to cyber-threats while meeting compliance requirements are well-established duties of CISO or their equivalents, and their teams.

The article continues the track that business leaders need the CISO to take a stronger and more strategic leadership role. Inherent to this new role is the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.

It’s been a long time coming, but now the CISO has arrived and presumably now has the board’s full attention, what do they share?

It may sound like a no-brainer, but while CISOs want to build more effective relationships with their business counterparts, finding a shared language is not always easy. Speaking the SINET Innovation Summit in New York, a group of CISOs offered practical tips for communicating with board members:

“It’s not necessary in my mind for a board conversation to have a very metrics-heavy dialogue,” said Rohan Amin, global chief information security officer for J.P. Morgan Chase & Co., during a panel discussion on cybersecurity metrics at the SINET Innovation Summit. “Things like that are completely irrelevant for a board conversation.”


“Fundamentally what the board wants to know is are you successfully executing on your program. Are the right people in place, is the right governance structure in place to really affect the program that you need,” said Boaz Gelbord, chief information security officer at Bloomberg LP.

Gary Owen, VP and CISO at Time Warner, advised CISOs to cater their message to the needs of the board. In short, don’t disrupt the rhythm of the meeting, and avoid unnecessary statistics dumps or information about cyber attacks that could throw them off and lead to lots of undesired questions.

J.P. Morgan’s Amin added that everyone should be looking at the same data:

While a senior executive might see a simplified “key risk indicator” that summarizes the firm’s security posture, it should be derived from the same underlying data used by those farther down in the organization.

Meanwhile, Security Scorecard has some terrific tips for CISO communication in this blog post:

Like it or not, as a CISO, you must continually prove your worth to the company. Part of this is reassuring the Board that you are effectively managing the security program. This can be done in many ways:

  • Create a list of current and finished projects since the last meeting and explain how they have positively impacted the company

  • Summarize spending on the security program, with an emphasis on the return that will be obtained from these investments

  • Quantify how the company is more secure now than in the previous meeting (e.g. vulnerabilities closed, incidents resolved, fewer alerts generated, etc.)

  • Discuss future security projects which will further improve the company’s security posture

  • Remember to represent these accomplishments in terms of value added, money saved, threats averted, and so on, instead of simply showing a list of remediated vulnerabilities. An explanation of “Project X avoided $5 million in losses” is more effective than “Project X implemented HTTPS encryption on production data,” since the Board won’t understand the implications of that technically-explained risk.

Security Scorecard also recommends avoiding boring board members with technical details – keep it brief and high-level, and have a small packet with the tech details for each project handy in case they want to review it further.

More Here [cetusnews] or here [Security Scorecard]

This article was originally published on CyberSecBuzz

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.