An elevated board role starts with trust. Here’s how to earn it.

Aarthi Natarajan

As technology infrastructure and digital threats become increasingly complicated, corporate boards need cybersecurity knowledge at the highest level to understand and mitigate risk. It’s not just good business — soon it will be a mandate. Proposed U.S Securities and Exchange Commission (SEC) regulations, expected to be finalized imminently, will require demonstrated cyber literacy by the board and detailed cyber readiness by the organization. Additionally, it will call for an experienced, credentialed cyber expert on the board itself.

Sound like anyone you know?

CISOs are already expanding their purview and raising their profile in terms of reporting, risk management and strategy. Yet many of them we spoke with at this year’s RSA Conference weren’t sure what steps to take to be seen as a board contender.

The first element involves trust and relationship-building. Do you see cyber threats and IT risks from the board’s point of view? Can board members count on you for timely, accurate insights and relevant guidance — and are you able to communicate all of this quickly and succinctly?

The second requirement is the right tools to bring it all together. Think dashboards for monitoring risk, analytics for seeing around the corners, frameworks for coherently organizing all of this content and visualization tools for telling your story at a glance.

Here’s how CISOs can use all of the above to become indispensable to their board and elevate their role.

Respect directors’ time

Any communications you make in the boardroom should answer the unspoken questions of  “So what?” and “What should I do next?”

  • Think strategically. Rigorously narrow your focus to what’s material and what truly matters in terms of managing risk, reducing loss and demonstrating ROI.
  • Be selective. In today’s deluge of data, pick the most important points, and make sure any metrics you share align with organizational goals.
  • Look beyond your cyber silo. Link findings from your department to risk and impact across the organization, and your initiatives to overall organizational value and benefits. IT risk management tools can help you merge data across systems, from security to governance, risk management and compliance to enterprise resource planning and beyond.
  • Make your updates actionable. Don’t just relate information without recommended next steps. Board members should walk away from your conversations and reports ready to make strategic decisions. 

Tell a story

In order to wed cybersecurity risks to the board’s broader business concerns, it’s not enough to simply rattle off a list of statistics and updates. You need to bring this data to life in a way that resonates — in other words, tell a story.

What particular risks pose a threat to your organization’s assets — and why? What are the benefits of action — and consequences of inaction?

An established framework can be helpful in organizing your data. The NIST Cybersecurity Framework, for example, breaks cyber actions down into five key components: identify, protect, detect, respond and recover. The Loss Scenario Builder in Diligent’s IT Risk Master Class Toolkit offers another potential framework for talking about cybersecurity: threats, threat events, assets, vulnerabilities and losses.

Figure 1. Loss Scenario Builder Tool. This is a sequence of storytelling elements a CISO can use to explain a given cybersecurity risk to the board.

Speak the board’s language

As an expert in your field, it’s all too easy to slip into technical jargon you use every day with your team. But board members aren’t immersed in the cyber ecosystem like you are, and even directors with cyber knowledge will lack your in-depth expertise, so you’ll need to translate.

Say, for example, a threat event arises, as shown in Figure 2: unauthorized control of a pre-existing legitimate network session by a hacker. It exploits an insecure server configuration, an HttpOnly attribute using set-cookie with the http header not configured, permitting XSS. And this vulnerability could cause the following loss: data exfiltration.

When talking with your board, you might explain that scenario as follows: “A hacker hijacked a session between one of our network’s users and one of our web applications. Unfortunately, this web application contains customer data, and we’ve found a vulnerability in how a server is configured. This puts the confidentiality of our customer data at risk.”  

Figure 2. In order to communicate cybersecurity risks to a non-technical board audience, it’s helpful to present a concrete example. Here, the Loss Scenario Builder tool is used to present how and why individual hackers/hacktivists present a risk to the organization.

Keep the conversation going

Meaningful board engagement is a journey, not a destination —even after you elevate your role to trusted advisor and/or board member. You’ll need to keep the dialogue going before, during and after the board meeting. This may include presentations and conversations with committees — like audit, risk and ESG — and cyber training for board members. And you’ll need to remember that this communication is a two-way street. Be ready to prompt, ask and answer questions throughout.

How are activities trending against established benchmarks? Are any risks in danger of exceeding critical thresholds? How does your organization’s security posture compare to the competition? Most importantly, what do all these threats, risks, preparations and mitigations mean in terms of dollars and cents?

Digital tools can help here as well, enabling you and your board to see and make connections across risk metrics, cyber initiatives, investments and outcomes. The Return on Investment (ROI) tool from the IT Risk Master Class Toolkit is one example. In the area of risk, for example, you’ll be able to see at a glance your exposure to losses, what this translates to in monetary terms, what you’ve invested to date in risk mitigation and the ROI of this investment — all metrics your board members, and you as a potential director, need to know in their role of fiduciary oversight. 

Figure 3. Return on Investment (ROI) tool. CISOs can use this to foster open dialogue with the board about the relative risk-reward profiles of various security measures.

Related Insights
Aarthi Natarajan
Aarthi Natarajan, Senior Manager at Diligent, has expertise in the governance space for both corporations and not-for-profit organizations. She has worked extensively with corporate and mission-driven organization governance technologies as well as in the changing needs of hybrid and remote workforces.