Ten years ago, most board members didn’t need to know much, if anything, about cybersecurity — much less of business was digital. In today’s digital world, cyber risk is business risk. Most boards not only need expertise in cybersecurity, they need to care about it.
And though many are educating themselves about cybersecurity, we rely on our CISOs to implement best practices across their teams so that we can fulfill our responsibilities to shareholders.
As a board director and advisor to tech organizations like Bumble, Splunk and Amplitude, I’ve learned a bit about strengthening relationships between the board and their CISO. Here are some tips I shared with attendees of the inaugural .conf+ event for tech leaders aiming to communicate even better with their boards of directors.
1. Effective CISOs communicate in business terms
If you want to successfully connect with your board as a CISO, you have to be an excellent communicator. You can’t just be technically competent, because in a crisis, you are at the center. Everyone is relying on you and your team to communicate, act and solve problems.
Board members don’t want to be told, “Everything is okay; don’t look behind the curtain at what is really going on.” I want to know at the enterprise level — not at the tech level — what the risks are so we can prepare appropriately. For example, the SEC’s new regulation about incident disclosure asks organizations to reveal that there’s an incident before you even know what the details are. As a CISO, how do you handle that and recommend the decision making process?
I’m also seeing that larger companies either have or are more seriously considering forming cybersecurity committees. Smaller companies aren’t there yet, but it is important to have competence on the board management team (or a path to build it), otherwise you have a team responsible for something they don’t know what to do with. So, you need diverse skills and people on the board, and CISOs willing to educate them.
2. “Lunch and learns” are for board members, too
Being on a board provides so many opportunities for its members to learn and grow — and a CISO can play a role in that. One of the organizations where I served as a board member previously created great value in the less formal meetings with the CISO. This board decided to do “lunch and learns” to discuss strategic questions and stay up to speed on the changing tech landscape. Since they were not as formalized, we were able to explore more open-ended questions. We also recorded them for those who couldn’t make it, which was really helpful because members of the board don’t always see each other.
3. Third-party assessments bring good perspective — and can build trust
Being able to prioritize risks when communicating with your board is crucial. Using a third-party assessment can supplement the view of your organization so you can assess risks without biases, add credibility and know what to prioritize. In my experience, some executives are comfortable with third-party assessments and some aren't. But advocating for one to bulletproof what you’re presenting and not blocking third parties out is a high confidence index for the board.
You can develop a relationship of trust through the years, but also develop blind spots. Third-party assessments are a good opportunity to get information from outside your company’s walls with a valuable outside-in view. It’s okay to uncover those blind spots, versus feeling vulnerable to expose them.
4. Overall, be transparent
Transparency is a crucial piece of the overall culture of any organization, but especially when it has to do with cyber risk. You want a culture where people authentically believe in reporting and being transparent, so that when there are risks, you can investigate the issue and determine what you want to do about it. This is much better than leaving issues unknown — and a critical part of being able to protect and develop shareholder value.
Elisa Steele serves as board director at Splunk, Amplitude, Bumble, JFrog and Procore Technologies, and advises at Salesforce and people.ai.