Without a sense of context, the CISO cannot be expected to communicate meaningfully towards the Board
You don’t have to go far online or on social media to come across articles analysing the difficulties CISOs have in communicating with the Board.
The bulk of their argument revolves around cultural and language issues: In short, the CISOs don’t talk the language of the business and need to learn it, so that they can address concerns coming from the top, communicate with top executives around their needs, and broadly speaking, show the value in what they – and their teams – do.
To me, this argument belongs to the type of failed bottom-up approaches that have prevailed over the past two decades around cybersecurity and we have now reached the point where new dynamics need to be introduced for those exchanges to be meaningful and productive.
First of all, I think the times have gone when you needed to explain to the Board why cybersecurity matters, but the Board needs to understand the real challenges the firm is facing in protecting itself from cyber threats.
In that respect, the Board and senior executives need to understand that their relationship with the CISO needs to be nurtured and, to some extent, engineered, to generate the expected value: In short, as well as teaching the CISO to talk to the Board, I think it is also time to start teaching the Board how to interact with CISOs.
“Wheeling-in” the CISO once or twice a year may put ticks in some compliance boxes, but it is unlikely to lead to the building up of trust.
The immense majority of CISOs are technologists by trade and by background. There is nothing wrong with that. It simply reflects the evolution of cybersecurity concepts in the corporate world since the first creation of CISO roles in the mid-1990s, gradually emerging out of their technical security background to start gaining corporate acceptance. CISOs profiles have followed – and continue to follow – that path, but each CISO would have taken their own route across their career and will be at a certain point on that journey.
One thing is almost certain: Corporate governance and the intricacies of board-level interactions are unlikely to be one of their strengths.
The Board is often a political arena, with various agendas at play. Without any knowledge of the other issues and priorities currently under discussion at Board level, and of the political struggles and personalities involved across the Boardroom table, no executive can be expected to articulate anything genuinely relevant to the Board.
General cybersecurity knowledge and a sense of perspective around risks and threats can be brought in by external experts or non-executive directors, but the reality of the situation on the ground across the firm can only come from the CISO, and they can only put it into context for the Board if they are given a sense of context in the first place.
This goes beyond a broad sense of alignment between cyber strategy and business strategy: It is about aligning cyber execution with business execution over time across the strategic lifecycle; a lifecycle that can be disrupted by mergers, acquisitions, the arrival of new executives at the top, new market opportunities, technological evolutions or global events.
Board members and senior executives need to understand the essential nature of this alignment for the CISO – or any other executive – to provide them with input, answer their questions or address their concerns in a valuable and meaningful way.
This is all the more relevant for cybersecurity, which is by essence a complex, cross-silo matter at corporate level.
To me, the exchanges around cybersecurity at Board level would be greatly eased with some form of embodiment at the top of the firm encompassing all business protection aspects and their associated regulatory compliance dimensions.
This “Chief Security Officer” (CSO) type of role, which I have been advocating for a while, could be central to the rewiring of corporate dynamics around cybersecurity, and would greatly help CISOs, by taking away from them corporate reporting layers to which they are not well suited, and refocusing them on the native technical dimensions of their role.
In turn, having one of their peers across the Boardroom table should break barriers and give Board members more confidence in the dialogue they can build around cybersecurity.
In my opinion, this is the way many firms need to start evaluating the Board / CISO interaction problem, instead of expecting CISOs to perform impossible tasks.
About the Author
JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.
Featured image: Adobe Stock
