How CISOs Can Craft Better Narratives for the Board

For at least a decade now, career-minded security leaders have well understood the importance of effective communication with the board and CEO. CISOs know they must gain the buy-in of these decision-makers to successfully instill a security-minded culture at their organizations — not to mention to greenlight enough funds for an effective cybersecurity budget.

The problem is that most CISOs today still can't turn that awareness into action. While CISOs are communicating with the board and the C-suite more than ever, they're still struggling to craft the right narratives that help them communicate risk to the board and drive meaningful collaboration between the security team and the rest of the business.

Security experts believe that CISOs need to rethink the content and the context of their messages in order to more reliably hit the mark with their executive counterparts. And most importantly, says Andy Ellis, advisory CISO for Orca Security, they need to tighten up their language and their goals for each interaction.

"CISOs need to think, 'What is the least amount of information we need to give to stimulate action?'" says Ellis, who is due to present at RSA next week on this topic and whose new book, 1% Leadership, will be released this week. "Literally, I have a chapter in my book titled, 'Make the Smallest Argument Necessary to Spur Action.'"

The good news for CISOs today compared with those of yesteryear is that the channels of communication between them, the board, and the C-suite are increasingly opening up. The lesson is that it is going to take a whole lot more clear, simple communication for CISOs to net better results from their interactions with their boards.

CISO Board Reports More Frequent but Ineffective

The good news for today's CISOs is that the channels of communication between CISOs, the board, and the C-suite are increasingly opening up. According to "The State of CISO Influence 2023" survey, conducted by Dark Reading on behalf of Coalfire, 28% of CISOs present monthly updates to the board — up 10 percentage points in just the past year. Additionally, more than half of CISOs said they report to the board on at least a quarterly basis.

Unfortunately, for all of the increases in frequency of communication between CISOs and the executive suite, that upward communication remains largely ineffective.

The realistic CISOs reading the room sense that they're losing their audience. In the recent "Voice of the CISO" report from Proofpoint, security leaders in large organizations reported a huge drop in board support over the last year. Just 51% say they have the support of their board, compared with 71% who said the same last year.

Meanwhile, the directors are confirming that this perception isn't just in the CISOs' heads. A study from PwC this month shows that less than a third of directors are completely satisfied with the information they're getting about cybersecurity today.

"We have an image crisis that is only getting worse, and we need to rebrand ourselves," says Joseph Carson, chief security scientist and advisory CISO at Delinea. He explains that the CISO has to stop focusing on cybersecurity minutiae — things like attack metrics and precise technical details — and start measuring themselves and communicating about business outcomes. "That is the way to win support from the board," he says.

One of the biggest traps that CISOs fall into when communicating with the board is "overloading them with technical jargon," Carson adds. One recent study from the RSAC Executive Security Action Forum (ESAF), a community of Fortune 1000 CISOs, shows that over half of CISOs — 58% — admit that they struggle to communicate technical language to senior leadership in a way they can understand.

The fact that they are even endeavoring to explain that language in the first place indicates how much the content of their updates needs to change to facilitate more fruitful board discussions.

Taking the Fairy Tale Approach

Kurt Manske, managing principal at Coalfire, says he frequently sees CISOs struggle with understanding which key points, facts, or figures to share with their boards.

"A key problem for more technical-oriented CISOs is when and how to pivot during the board presentation and discussion from 'educating' to 'communicating,'" he says.

Sometimes simply mentioning one offhand technical detail can lead a CISO down an educational rabbit hole that completely distracts the board from the meat of what a CISO was really trying to communicate. Helping CISOs avoid these kinds of conversation killers is the whole drive behind Ellis' upcoming talk at RSA, titled, "Telling Fairy Tales to the Board: Turn Attack Graphs into Business Stories."

In his position at Orca Security, Ellis has helped the firm develop graph-based visualization maps that show potential attack paths within an organization's infrastructure. As valuable as that tool can be in communicating a potential attack story to security teams, he says he'd never show them to the board. His idea for his RSA session came up when he shared that with his co-speaker and technical counterpart, Oren Sade, chief of staff at Orca, who was aghast that Ellis thought the visualization's narrative doesn't work for the board.

"He was like, 'Why? This is great. It's a simple story. Andy, you helped us write this story,'" Ellis says. "And I'm like, 'Yeah, but the moment that I say Spring4Shell — or whatever the vulnerability that's being exploited — now I've got to spend 45 minutes explaining what Spring4Shell is because half of the board members think they're forgetting context.'"

Ellis' discussion will translate five different technical "stories" told by various theoretical attack paths into a slide deck and narrative line that actually works for board members. But before he does that, he will frame it with a fairy tale to help audience members understand what he's trying to do.

"I will literally be on stage, and I'll read the first four minutes of Little Red Riding Hood, and then we'll actually build an attack path and say, 'Here is the attack the wolf conducted against Little Red and all of the vulnerabilities that get exploited,'" he says. "And then we say, 'But notice that if you tried to tell it that way, nobody cares.'"

As Ellis explains, in the fairy tale the story is not actually about the wolf eating Red Riding Hood. The story is a cautionary tale for kids that is conveying messages of avoiding hazards like "don't talk to strangers" and "don't leave the trail."

Similarly, the stories for the board are driving toward a message of avoiding unnecessary losses, using security professional expertise in identifying the hazards that make that more likely to happen.

"A system having a vulnerability is not a hazard. The hazard is, 'We don't patch our systems enough,'" Ellis explains. "What's interesting is what happens at the end, right? Customer data gets stolen, ransomware takes over, whatever it is. You always start by talking about the unacceptable outcomes."