How to Win Over Your Board: Advice from a Seasoned CISO
Years ago, during a meeting with my boss (the company’s CIO), he told me I would be presenting to the Board of Directors at the next quarterly meeting. “You’ve been asking for a chance to present Cybersecurity to them and–you got it!” he said. “Don’t mess this up,” he joked. “I don’t think he’s joking,” quipped the voice in my head. My boss shared the date of the meeting. As I jotted it down, I did some quick math, calculating that I had a few weeks, before I took the stage. The voice in my head cleared its throat and teased, “Will you strike out, or hit a home run?”
Several weeks later, I sat outside the Board Room, waiting for my time slot. After wiping my sweaty hands on my pants about a thousand times and watching the minute hand tick forward in slow motion, finally the door swung open and somebody motioned me in while mouthing the words, “You’re up!” I had spent weeks preparing for my fifteen-minute slot, and suddenly—after a blur—the meeting was almost over. I had whittled my PowerPoint deck down to just a few slides, but the projector’s display sat on the intro slide the whole time. As soon as I had introduced myself and started my well-rehearsed intro, somebody politely interjected, “We’ve been through the pre-read and if you don’t mind, we would just like to chat with you.”
All the work I had put into my deck, filled with a dashboard, key performance indicators, org chart of my team, the summary of the projects we had completed…I never got a chance to cover any of it. Instead, questions came from Board members and I answered them as concisely as possible. It didn’t take long before one of the most tech-savvy members took the spotlight and started asking questions. These questions were direct and somewhat technical, regarding vulnerability management and Web development security. I had been told that he was very sharp and liked to throw in curveball questions. In our discussion, I avoided three letter acronyms and focused on speaking in business terms as much as possible. So far, so good. We started to wrap up.
“I have one more question,” he said. “Here comes the curve ball,” my inner voice warned. “Can you guarantee we won’t be hacked?” My answer was honest and unrehearsed. “No, I can’t. And if I said yes, then you should probably ask me to leave.” He nodded, smiled and said, “Good answer. Thanks.”
Every IT/Cybersecurity leader who reports to their Board of Directors, Audit Committee, and Executive Leadership team knows that it is a daunting challenge to take several months of their team’s work and pare it down to fit into a 5-to-15-minute presentation delivered once a quarter or less frequently.
At Stratascale, our Office of the CTO regularly speaks with Executive leaders who have been in their roles for years but are just recently getting their first tap on the shoulder to report to their Board, or who have made the move to another company and are working towards building confidence with their leadership team and Board. Reporting styles and approaches vary, including quantitative/metric-driven reports, qualitative/observational assessments, and narrative/story driven reporting—as well as a blend of everything in between.
At Stratascale, the Office of the CTO has leaders who have experience building out technology and cybersecurity programs and assist with preparation of presentations to executive leadership and the Board. We also have research and technical experts who can design and execute on roadmaps and strategy.
Although this is not a comprehensive list, here are seven key attributes I have observed of leaders who have had good relationships with their executive leadership and board.
- They Know Their Goal
The most successful CISO’s have a clearly defined goal: when they leave the room, there is a sense of trust that they are the right person for the job.
- They Tell Stories
Stories and analogies are easy to remember and relate to. Here is a story I have used to describe the metric “Mean Time to Detect”, also known as “Dwell Time”. My wife’s Great Aunt lived in an old house in Chicago. She was shocked to discover that somebody had set up living quarters in the crawl space in her basement. Imagine that you found out you had somebody living in your basement. Would it freak you out? Well guess what, attackers are circumventing security controls to access corporate networks and are lurking there undetected. In 2020, the Ponemon institute reported the average time to identify a breach that year was 207 days. So something you should always be pondering, “is somebody living in my basement”?
- They Avoid FUD
Fear, Uncertainty, and Doubt (FUD) are the key ingredients to a propaganda tactic employed as a strategy to use negative information to influence people. Instead of focusing on breach headlines silver bullet solutions and knee-jerk reactions, leaders who use a strategic approach to understanding business priorities, mapping controls, and determining their efficacy to reduce risk are more successful.
- They Speak in Business Terms
Cybersecurity leaders tend to be technically astute and have a deep vocabulary filled with three letter acronyms. That’s an important part of designing and maintaining a well-designed cybersecurity program. However, “geeking out” with the Board can confuse them. Confusion isn’t good for building trust. Stick to business terminology and you will come out on top.
- They Keep it Simple
Successful cybersecurity leaders can provide a single pane of glass that summarizes the current state of their cybersecurity program, flag key risks, and provide a summary for remediation. If you present from a PowerPoint deck, keep it short and easy to understand. Some CISO’s will ask other business departments (e.g., marketing or audit) or even family members to review their decks before presentations. If they can understand it, chances are the technical jargon and three letter acronyms have been stripped away and the content will be easier to digest.
- They Demonstrate Their Vision, Approach and Framework
There’s no need to reinvent the wheel when it comes to a good Cybersecurity program. Selecting a framework and ensuring that is it executed to demonstrate measured progress over time, lets leadership and cybersecurity teams know that the CISO has a clear vision and strategy for achieving a target state and can adapt.
- They Are Aligned to the Business
Successful CISO’s are aligned with business leaders. They have conversations with them, understand their strategy, their crown jewels, and what they are concerned about. Security departments that are aligned within IT to other teams are always more successful, and CISO’s who partner with the business and have relationships with leaders understand what they are protecting.
Recently, while I speaking with a CISO of a Global Fortune 200 company who started his role about 18 months ago, he shared the story of how the relationship with his Board of Directors has changed. He said that initially, his goal was to earn their trust and prove that his team knew what they were doing and had a plan. He further stated that during his last Board meeting, the conversations had matured from his early ones. “Last year, they were asking do you know how to patch?’ and now they are asking about due diligence and how to automate code.” This is a good example of how this relationship between CISOs and their Boards should grow over time. Start with the fundamentals and expand into focused topics around strategic objectives and projects that are tied to business goals and metrics. This way you are always able to tie the cybersecurity requirements of the organization back to goals the Board can understand.