Hot Topics
CISO Suite Security Bloggers Network 
SBN

A CISO’s Guide to Building a Strategic Relationship with the BOD

by emmaline on January 20, 2023

A chief information security officer’s (CISO’s) role ultimately is to help their organization’s board of directors (BOD) understand the potential impact of cyber threats on the organization. When this strategic relationship is successful, the BOD can make informed decisions about risk management, including capital allocation and spending relative to industry peers. Effective communication to this end requires the CISO to meet the BOD members where they are regarding both perspective and priorities.

The BOD is responsible for overseeing the management and performance of the organization writ large, and they almost certainly are more concerned with financial and strategic risks than with technical details. The CISO, therefore, needs to clearly articulate the potential impact of cyber risks on the organization’s bottom line in a way that is relevant and understandable to the BOD. Doing so gives the BOD the information they need to understand the state of the organization’s security program, and establishes a relationship the CISO can draw on when discussing any need for strategic improvements and investments.

Five Guidelines to Building a Strategic Relationship

Every time a CISO interacts with their BOD will be unique, so the most helpful approach to ensuring success is to develop a single strategy to use over the long run. Employed consistently using five rules of thumb, this strategy can yield a strong relationship based on trust and demonstrable value added.

Big Picture Performance Matters

BOD members are evaluating organizational performance writ large, so identify key performance indicators (KPIs) that can provide a consistent framework for conversations. This is not the time to delve into the more technical KPIs. Instead, use quantifiable metrics to measure progress and performance in a specific area. Doing so will ensure the material the CISO brings for discussion is relevant and meaningful for the BOD. Appropriate KPIs for a CISO to present might include:

The number of cyber incidents and their severity.

This KPI can help the BOD understand the frequency and impact of cyber incidents on the organization. Be sure to quantify the severity in terms of the percentage of network compromised, the number of divisions or the teams affected, the length of time critical systems were not functioning properly, or something equally concrete. Nebulous terms like “high impact” will not convey anything meaningful to the BOD and could come across as an attempt to obfuscate the true impact of any incidents that occurred.

The cost of responding to and mitigating cyber incidents.

This KPI can help the BOD understand the true financial impact of cyber incidents, so when assessing this KPI, consider reputational cost as well. Longer term, understanding mitigation’s financial and reputational costs can help the BOD more quickly ascertain the effectiveness of the organization’s response strategy.

The effectiveness of cybersecurity controls.

CISOs can measure this KPI using a framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is a widely-adopted framework that provides a set of industry-agnostic guidelines and best practices for managing cyber risk. By evaluating the organization’s cybersecurity controls against the NIST CSF, the CISO can help the BOD understand the organization’s current level of cyber risk and track improvement over time. The CISO may also consider pairing the NIST CSF with an industry-specific framework or standard relevant to the organization.

Literally Put the Bottom Line Up Front

The BOD is deeply concerned with the organization’s bottom line, so frame information and requests in the context of capital allocation . Regardless of what a CISO needs to discuss with the BOD–whether a tactical incident with far reaching ramifications, a strategic update, or a change of policy–they need to provide context and perspective on the organization’s capital allocation and spend relative to industry peers. This can help the BOD understand whether the organization’s cybersecurity efforts align with industry standards and practices. This context also lays the groundwork for future discussion of additional investments necessary to respond to ever-changing cybersecurity threats and mitigate potential risks. The CISO can present this information in the form of benchmarking data or industry reports.

Lean into Discomfort to Build Trust

BOD members need to understand the ground truth to make informed decisions, so be transparent and honest regardless of how uncomfortable a topic might be. When engaging with the BOD, the CISO must be completely open about the organization’s cyber risk posture. This includes acknowledging any incidents, weaknesses, or vulnerabilities and discussing the steps the CISO and their team are taking to address these issues. The BOD should know potential material risks that could impact the organization’s operations or reputation. The CISOs who have established strategic relationships with their BOD can more easily segue from presenting hard topics into collaborative problem solving.

Orient to Action So They Don’t Have To

Cyber risks can evolve quickly, so proactively engage to keep the BOD informed of big picture changes in the area of cybersecurity. BODs are monitoring many significant aspects of an organization at once, and the CISO’s role is to monitor, distill, and communicate the cyber risks the BOD needs to understand. Suppose specific issues or concerns arise outside of the regular meeting cycle. In that case, the CISO should schedule ad hoc meetings with the designated cyber member or audit committee (if either exists) or BOD. When doing so, the CISO should keep management informed regarding the material they plan to discuss and any outcomes from the meetings. CISOs who stay engaged with the BOD establish a stronger relationship that will benefit their security team during strategic discussions of material risks and risk management.

Guide Them Beyond with Yes, And…

BODs define risk appetite, key risks, and the scope of the security program, so help them understand how security resources directly facilitate fulfilling (or exceeding) their mandate. CISOs translate high level BOD guidance into priorities for their teams, focusing security efforts based on business needs and objectives. This interaction aspect with the board can present an opportunity for the CISO to guide them toward strategic investment in the security organization. A CISO who keeps “yes, and…” in mind can seize opportunities to define their security space moving forward, collaborate on the company’s overall risk management strategy, or successfully advocate for a new way of approaching a problem.

Want more on security program strategy? Check out our post exploring the adversarial nature of cybersecurity from a big picture perspective.

The post A CISO’s Guide to Building a Strategic Relationship with the BOD appeared first on Praetorian.

*** This is a Security Bloggers Network syndicated blog from Blog - Praetorian authored by emmaline. Read the original post at: https://www.praetorian.com/blog/ciso-strategic-relationship-with-bod/

emmaline , , , , ,