Getting the attention of the board when it comes to information security can be achieved by using the correct language and terms that they understand.
Speaking on a panel at the Cyber Security Show which is held under Chatham House Rule, three CISOs and a security vendor managing director said that when moving cyber security further up the board’s agenda, the best tactics are to use soft skills and know who you are talking to.
One CISO said that when you are talking cyber, show “traceability” to the brand. They admitted that it is not easy, and they had struggled to get to the point where there was a “sweet spot” of language that resonated with senior executives.
Another CISO suggested that knowing who you are talking to, engaging in different ways, talking their language and relatinh to what they do is key, as well as making sure your own team are up to date.
The third CISO recommended not starting with threats and vulnerabilities when building a strategy, but instead focusing on the business and why you need to do certain things.
The vendor MD said that the issue is that cyber remains to be seen as an IT problem, and it is not a useful way to start conversation and you need to change language to a way that the board understands.
“It is a risk and cyber is an opportunity,” they said. “Boards and CEOs are familiar with the concept of leadership and if they expect people to act as custodians, you need to start from top. When Sony chairman Michael Lynton saw passwords in the clear, it was an issue of the leader saying “do as I say, not as I do”, and you can engage the board on the journey.”
Commenting, an audience delegate said that their board were “hyper-sensitive” as they read about threats every day, and whilst they saw risk reports and risk assessments in the same framework, it was better to talk impact and risk assessment than APT, as the board can understand that and you can use analogies and metaphors.
They said: “The issue isn’t on the board, where the issue can be is at senior management level where there are issues of embarrassment, so it requires strong relationships. There has to be an element of trust.”
Concluding, one of the CISOs on the panel said that that reported breaches can be used for you to refer to, so it is worth playing on that, and also use threat horizon reports to show how to factor it into your business, and give some idea on which decisions you are taking and what you can do from a business perspective.