Building Security-Savvy Leadership: 3 Ways to Boost Your Board Communications
Share with Your Network
As cybersecurity becomes a more prominent issue amid our economic and geopolitical landscape, businesses around the globe are working to cultivate security-savvy leadership. Now more than ever, future-defining decisions about cybersecurity and organizational risk are playing out in board meetings. CISOs working to prime corporate leaders know those decisions will either lead to a more secure and resilient business, or if the wrong choices are made, an environment where cyber risk is poorly managed, and threats create chronic chaos.
It’s little wonder, then, that CISO conversations about improving board member communications are picking up steam. Last year, the CTO and Co-founder of Kenna Security (now part of Cisco) Ed Bellis compared notes with CTO and CISO of Travel + Leisure Co. Stan Kreydin as part of the CISO Series Video Chats hosted by David Spark.
Common threads began to emerge as these industry heavyweights discussed best practices, learning experiences, and real-world advice. In this blog, we’ve identified three key takeaways to keep in mind for enhancing your own executive communications and improved security decision-making. to cultivate security-savvy leadership.
Three ways to boost your board communications
1. Increase reporting frequency. Before the digital era was in full swing, quarterly security updates sufficed in bringing leadership up to speed on the previous three months. But as the pace of business accelerated (and particularly in the last two years), so has the need for more frequent updates. The reasons are many: attack surfaces are expanding, threats are on the rise, and environments are becoming more complex than ever before. Remote and hybrid work environments have compounded these challenges, demanding an uptick in security briefings.
Establishing a consistent and regular reporting cadence helps keep security priorities top of mind. Increased airtime during meetings also gives you the opportunity to emphasize the most important aspects of the organization’s risk posture. (More air time is better for many reasons, including minimizing the chances for external or opposing narratives to take hold.)
“You want to give them lines, not dots,” notes Bellis. “You want to convey where we were, where we are right now, where we’re going, how we get there, and what the obstacles are. It’s an ongoing process. If you’re in the fortunate position to be able to present on a regular basis, you can really tell that story.”
The trickle-down effect of frequent reporting cultivates an invested audience. “Creating a narrative around the overall strategy is how you get people engaged,” says Kreydin. “Folks want to know how you’re doing.”
2. Rally around business risk. Even with leading vulnerability management platforms offering clear and intuitive reporting and risk scores, some CISOs still fall into the trap of reporting on vulnerabilities closed or walking board members through spreadsheets filled with endless figures. The result is a confused, disjointed understanding of the company’s risk profile and misinterpretations of how to improve it.
Non-technical leaders may not understand vulnerabilities closed, but they do understand business risk. Kreydin underscores the importance of centering conversations around risk to establish relevance, create urgency, and bridge gaps in understanding caused by technical jargon and acronyms. “Make it about the business risk. If you’re talking about technical risk to a board, you’re creating more problems than you’re solving. It’s the job to talk about how that translates into overall business terms versus technical terms.”
And when choosing which KPIs to help tell your security narrative and communicate risk, both Kreydin and Bellis urge CISOs to keep it simple and jargon-free, provide plenty of context, and tie KPIs to company goals. “You should be controlling that narrative and present the metrics that are important to the business,” says Bellis, “but you’re also going to have to explain why they’re important and how they fit in. Give all the context.”
3. Serve as a resource. Building a security-savvy leadership team doesn’t happen overnight. Investing time, energy, and care into establishing yourself as a trusted resource and advisor invites people to ask questions, discuss ideas, and be an active participant in risk management. Find opportunities for ongoing education.
Kreydin says you can use high-level angst over high-profile exploits as an opportunity to educate leaders. “When we have globally impactful events in the media, I’m usually asked to join in the conversation. I provide a brief acknowledgment that we’re aware of the event, show we’re engaged in the industry, and provide context and relevance. Ultimately, I use it as a pivot point to create additional dialogue.”
Creating stewards of cybersecurity at the executive leadership level requires extra hours outside board meetings, but the payoff is worth it. Kreydin recalls how after a third-party vendor had security challenges, a board member reached out and asked if something similar could happen to them. “To me, that goes back to creating that relationship and cadence. Having that engagement and trust, it’s the best compliment you can get.
Drive data-driven, risk-based decisions
Security will only become a more talked-about topic everywhere, especially at the executive and board levels. While breaking down security and risk concepts into digestible and engaging takeaways may seem like a daunting task, tools and strategies are available to cut down on the complexity of managing and reporting on risk. Industry leaders like Cisco and Kenna Security (now part of Cisco) are defining a new future for enterprise security operations, one that’s automated, democratized, and (most importantly) simple.
With the right tools in place and the right approach to board communications, you can continue to elevate security priorities, bring strategic recommendations to the table, and trust your board to make data-driven risk-based decisions.
To hear the full discussion between these powerhouse CISOs, watch the replay: Hacking Board Metrics: An hour of critical thinking about improving executive communications for better decision making.
