Cybersecurity has swiftly become a strategic risk and a top boardroom concern. This shift has elevated the importance of the relationship between a company’s chief information security officer (CISO), or similar information technology (IT) executive, and its board — especially with directors serving on the board’s risk committee. As anyone who’s celebrated Valentine’s Day knows, effective communications lie at the heart of fulfilling relationships.
Santa Fe Group Chairman Catherine Allen has been personally involved in fostering relationships between technology leaders and board members for three decades. Allen currently serves on four corporate boards and several non-profit boards, and she has chaired or sat on security and risk committees. When helping CISOs take their board relationships to the next level, Allen offers five pieces of advice:
- Communicate, communicate, communicate: Request to present at a board meeting annually and at every gathering of the board’s risk committee. The presentations should cover high-level cybersecurity issues while educating board members on emerging trends and technologies, such as artificial intelligence (AI), 5G, deep fakes, cryptocurrencies and drones. This educational component also helps quell any perceptions that CISOs are only dwelling on problems and/or asking for more money.
- Lead with business, not technology: When presenting to the board, avoid focusing too much on technology matters. Instead, address how cybersecurity affects business strategy, operations, products and services, customer relationships and the company’s reputation.
- Compose a compelling narrative: Illustrate key messages with vivid examples of real-world accounts of cybersecurity lapses, especially breaches that occurred within the industry. Highlight how cyberattacks resulted in shareholder value declines, hits to corporate reputations, and even board and C-suite terminations. Tell a story about the current state of organizational cybersecurity and illustrate your narrative with snapshots of progress, industry benchmarks, and plenty of hard numbers and dollar amounts. Slide decks should be short and non-technical. Invite a member of the board or risk committee to review your slide deck prior to the presentation to ensure that you’re framing issues from a business perspective.
- Consider a good therapist: Enlist external IT, cybersecurity and risk management experts to review your cybersecurity program and practices and to report their findings to the board. Objective third-party perspectives can bolster business cases and budget requests. Outside firms are also a good source for IT and cybersecurity expenditure figures in your industry and other benchmarks.
- Send thoughtful reminders to board partners: Sustain your education of the board outside of meetings by sharing articles and studies (that speak to business leaders as opposed to technology experts), providing updates on relevant off-site meetings and speakers, and keeping them informed of cybersecurity conferences they might attend.
Healthy relationships require a commitment from both parties. In this companion article, Allen shares her take on what board members can do to cultivate a more durable cybersecurity capability.