Information security is a now a board-level topic. The Securities and Exchange Commission made that point in February when it released guidance on how public companies should prepare to disclose breaches and other security incidents. Companies are expected to share information in quarterly and annual financial reports on how they’re managing cyber risks. In addition to details on how companies are gauging the severeness of security gaps and incidents, companies need to disclose how senior leaders and the board communicate about cybersecurity.
For CISO and CSOs (and some CIOs), the SEC’s guidance likely means that they’ll be speaking to the board and other executives on security if they’re not already. Boards have been dedicating more time to cybersecurity than in previous years and have security and technology leaders brief them, according to a Tuesday Wall Street Journal article. But having a seat at the table presents CISOs and CSOs with a new challenge: what do they say to show that they're aligned with the business? After all, they're likely talking an audience that’s likely composed of people with extensive backgrounds but little security knowledge.
To answer that question, we interviewed CISOs and CSOs to learn what they say to their boards and peers to show that they're business-savvy and not just technology hobbyists.
Speak the language of business
Security executives aren't speaking the language of business, resulting in a failure to connect with their board and business-minded colleagues, said Cybereason CSO Sam Curry. “I don’t see average CFOs understanding cross-site scripting,” he said.
And don't expect the board or the CEO and COO to learn computer science.
“The board is never going to learn technical language. It’s better for us to speak business language. That’s how you get your budget approved and support from the board,” said Erika Mata Sánchez, director of information security and CISO, at Grupo Nacional Provincial, or GNP Seguros, one of Mexico’s largest insurance companies.
The language of business, according to Curry, can be summarized in six concepts:
-
Revenue
-
Employee efficiency
-
Strategic value
-
Cost
-
Risk
-
Customer satisfaction
The board cares about how security fits into and improves each of these areas. Stray off the theme of security helping the business and into technical jargon and you’ll lose your audience, Curry said. For an even more detailed view of how a business work, Curry recommended that security executives befriend the CFO and ask to look at the profit and loss statement.
“We really have to figure out what the business’ real goal is and what the problem is. Then we have to allow them to work toward that goal, but we have to put safeguards around it that will allow them to do it in a manner where we’re not exposing ourselves to risk,” said David Bryant, CISO of PSCU, a credit union services organization.
That’s not to say that technical knowledge and maintaining relationships with the people who carry out IT security don’t matter. CISOs need to be involved in both of those realms.
“The average security executive needs cred with the Black Hat folks. But they also need a seat at the business table and to be able to say ‘I am the source of understanding risk from the IT infrastructure perspective,” Curry said.
SECURITY TAKES A VILLAGE
CISOs should explain to the board that information security is everyone’s job and that anyone can bring potential security issues to the information security team. Protecting an organization includes the obvious initiatives (like keeping increasingly sophisticated adversaries at bay) as well as the less obvious ones (like getting product teams to consider the benefits of forcing users to change the default password on an Internet-connected device). This mindset shows that a CISO has a more expansive view of the risks facing an organization and is thinking holistically about risk.
“They should know that security is not just people who interact with a certain system, but that it’s more widespread across the company. Present security in a way that lets them know anybody can ring the alarm if they see anything out of the ordinary,” said Luis Torres, director of information security at RhythmOne, a digital advertising technology company.
CISOs shouldn’t be afraid to enlist the board’s help in spreading a culture of security across an organization. Security programs only succeed with the support of an organization’s board. After all, the board helps determine the priorities for a company and its executives. Getting buy-in from the board on security can strengthen an already robust program or start building the foundation for one.
Want to master the language of business and learn more about conveying security to the board? Then check out this ebook.
