Information security is no longer just about setting up a firewall or installing antivirus software. The prospect of a NotPetya-like attack crippling factories and hurting profits and Chinese hackers pilfering intellectual property (among many other security threats) has made keeping companies safe a critical business issue.
This development has elevated the CISO role. In fact, some security executives have escaped the server room and now meet with the board of directors to explain how they’re mitigating information security risks.
But meeting with the board brings a new challenge: how can CISOs convey the importance of security to the board? They’re trying to connect with results-driven executives who think about quarterly revenue and profit margins, not hot fixes and false positives. And the sight of the CISO in the boardroom can be off-putting, given that security leaders have a reputation for slowing or scuttling projects over security concerns.
“CISOs need to do a much better job educating boards on risk. The challenge some CISOs face is not getting too much into the technical jargon and security jargon with the boards and talking more about why they should care,” said Ryan Gurney, CSO of Looker, a software-as-a-service data analytics company.
Here's how security leaders can be seen by boards as business-savvy leaders instead of technology hobbyists.
CISO can earn the board’s trust and respect by getting information security in tune with business operations. Accomplishing this task means security leaders need to learn the language of business and use it to frame conversations around information security. The concept is simple: relate every information security project to a business objective and avoid technical jargon.
“The board is never going to learn technical language. It’s better for us to speak business language. That’s how you get your budget approved and support from the board,” said Erika Mata Sánchez, director of information security and CISO, at Grupo Nacional Provincial, or GNP Seguros, one of Mexico’s largest insurance companies.
CISOs can connect with the board by speaking the language of business, which centers around six themes, said Cybereason CSO Sam Curry:
-- Risk
-- Revenue
-- Employee productivity
-- Strategic value
-- Cost
-- Customer satisfaction
“Don't talk about anything else except those six things. The biggest problem CISOs have right now in bridging the gap between security and business,” Curry said.
CISOs should explain to the board that information security is everyone’s job and that anyone can bring potential security issues to the information security team. Protecting an organization includes the obvious initiatives (like keeping increasingly sophisticated adversaries at bay) as well as the less obvious ones (like getting product teams to consider the benefits of forcing users to change the default password on an Internet-connected device). This mindset shows that a CISO has a more expansive view of the risks facing an organization and is thinking holistically about risk.
“They should know that security is not just people who interact with a certain system, but that it’s more widespread across the company. Present security in a way that lets them know anybody can ring the alarm if they see anything out of the ordinary,” said Luis Torres, director of information security at RhythmOne, a digital advertising technology company.
CISOs shouldn’t be afraid to enlist the board’s help in spreading a culture of security across an organization. Security programs only succeed with the support of an organization’s board. After all, the board helps determine the priorities for a company and its executives. Getting buy-in from the board on security can strengthen an already robust program or start building the foundation for one.
Talking about security failures with the board seems like a sure way for security executives to lose their jobs. But bringing up what went wrong is the only way for organizations to learn and improve their defenses. No one benefits when security mistakes aren’t discussed.
“If I’m not comfortable going to the board and saying, ‘We’ve had this happen because of a failure in our enterprise level of security,’ then we’re not going to learn the lesson so that we can prevent it from happening again. We learn our most important lessons the times we’ve failed,” said Guy Daubenspeck, CISO at financial services company Kasasa.
A crisis is an opportunity, said Bob Bigman, former CISO at the CIA. To him, discussions on how to improve security are rarely held when a program is succeeding. In fact, just the opposite happens: budgets are usually cut. But when there’s a problem, everyone (especially the board) is interested in figuring out what went wrong and how to prevent it from happening again.
Sorry, CISOs, it’s not all about you when talking to the board. Yes, the board wants to know about information security, but only in the context of how it helps the business achieve its goals. Remember, your job is to understand a business’ needs and develop a security program that supports those initiatives.
“We really have to figure out what the business’ real goal is and what the problem is. Then we have to allow them to work toward that goal, but we have to put safeguards around it that will allow them to do it in a manner where we’re not exposing ourselves to risk,” said David Bryant, CISO of PSCU, a credit union services organization.
Want to master the language of business and learn more about conveying the importance of security to the board? Then read this ebook, which has advice from security leaders on how to bridge the gap between security and business.