Regular communication with CISOs may not be enough for the board to fully understand and adequately invest in cybersecurity. According to a survey conducted by Neustar International Security Council in November 2022, only 49% of organizations have the requisite budget to meet their cybersecurity needs. Thus, only half of all CISOs receive enough resources to enforce effective cybersecurity strategies.
What CISOs need most are tools to effectively convey issues surrounding cybersecurity in order to obtain sufficient cybersecurity funding. This article provides tips and best practices for CISOs on how to communicate IT security to the executive board and ensure that it takes cybersecurity seriously.
Why do CISOs need to improve their communication with the board?
A lack of effective communication between a CISO and the executive board is often the primary reason that organizations fail to implement security practices to cover their specific needs and properly secure their most valuable assets. According to PwC’s 2022 Annual Corporate Directors Survey, only 41% of corporate directors think that their board members understand cybersecurity risks “very well”. The most probable reason is that the board and the CISO speak different languages.
While each organization’s board is unique, most board executives don’t have a technical background. According to data from Heidrick & Struggles, only 5%, 10%, and 17% of board members in Europe, the United Kingdom, and the United States, respectively, have cybersecurity experience. That being the case, it may be challenging for the board to understand the interrelation between cybersecurity risks and business risks.
At the same time, CISOs often tend to forget that the board has very little insight into the complexity of cybersecurity operations. Some CISOs struggle to communicate cybersecurity to the board in business terms, which leads to underestimation of the value of cybersecurity by board members and, consequently, insufficient cybersecurity budgets.
Gartner, “Comprehensive Resource List for Presenting Cybersecurity to the Board of Directors”, Jay Heiser, 5 January 2023
Enhancing executives’ cybersecurity expertise through effective communication can benefit an organization’s security in many ways. For instance, when the board is knowledgeable about cybersecurity, the organization is less likely to spend a lot of money on unnecessary security measures just because “everyone is using them”, and is more likely to implement measures that are tailored to the specific security needs of their organization.
Moreover, board members’ cybersecurity expertise may soon stop being viewed simply as an asset and become more of a requirement in some countries. In the US, the Securities and Exchange Commission (SEC) is considering a new security regulation which would require reporting on the board of directors’ cybersecurity expertise.
To help you prepare for your meeting with the board, let’s first take a look at what executives expect you to report.
Key cybersecurity aspects to report
Which aspects of your organization’s security to report may depend on the type of board meeting. For instance, what you report in an annual board meeting will differ from what you discuss in an incident-driven meeting. Here, we review the most crucial information you may need to report to the executive board during regular quarterly meetings:
1. Current cybersecurity risks
Consider researching current widespread and industry-specific security incidents before the meeting. Board members should realize that the threat is real. Ideally, you should provide a few real examples and their consequences.
After your research, consider conducting a risk assessment. It can help you:
- Detect areas vulnerable to cyber attacks
- Prioritize risks
- Evaluate how efficient your current security measures are
- Outline new measures to implement
- Determine the probability of cybersecurity events
When sharing the results of the assessment with the board, try to emphasize how likely certain security incidents are for your organization and the potential financial losses from each of them.
The same goes for third-party risks. Each third-party vendor you cooperate with increases risks to your organization’s security. Try to classify your vendors per their impact on the organization. The more sensitive the data that they have access to, the higher the risk. Inform board members about vendors with the highest impact potential and the way you address the risks they pose to the organization.
2. Recent security incidents
Report any security incidents that occurred in your organization within the last quarter and their consequences. Start with the most significant incidents and gradually move on to less significant ones.
Briefly inform the board about what happened, how the security team responded, and what caused each incident. Present the findings of the incident investigation and your plans for preventing similar incidents in the future.
Additionally, you may wish to include a summary of security measures you implemented after past incidents. Describe in a nutshell how those measures improved the organization’s security, and whether they helped to prevent further incidents.
3. Results of security audits and penetration testing
The results of penetration testing can help the board understand existing vulnerabilities in the organization’s defense. At the same time, the results of security audits can show gaps in security controls, practices, and compliance with industry standards. You may use these results to underscore the need to implement a new security strategy and increase the cybersecurity budget.
4. Progress on cybersecurity projects
Provide information about the status of major projects the security team is currently working on. These projects might be related to:
- Maintaining compliance with IT security requirements
- Implementing security controls
- Managing and eliminating system vulnerabilities
- Developing or updating security policies and procedures
During your presentation, make sure to mention if projects are on time and on budget, and if they require additional resources (if they do, provide good reasoning).
Last but not least, inform board members about updated high-level objectives, costs, timelines, and ROI of the projects.
5. Competitors’ cybersecurity postures
It’s easier for board members to comprehend whether the organization’s security is strong enough when you compare it to other competitors and industry leaders. Thus, they will have a better grasp of what constitutes an acceptable level of cybersecurity risk.
Try to compare your organization’s security performance to some of its competitors. Be completely honest and show board members the areas your organization excels in or lacks.
Now that we know the key points you need to report, let’s review several best practices to prepare a report that your board of directors will understand and appreciate.
Communicating IT security to the board: 7 CISO’s best practices
Ineffective communication is a major obstacle for security officers trying to provide efficient cybersecurity risk management. We’ve put together seven valuable tips to make cybersecurity communication with executives smooth and productive.
1. Understand the business and the board’s priorities
Maintaining a balance between technology and business is crucial for CISOs nowadays. A comprehensive understanding of business operations can provide insight into the priorities of the board and align your cybersecurity strategy accordingly.
In turn, knowing the current priorities and expectations of the board helps you better discern what information to present during the board meeting and how to get your points across. These priorities may include:
- Preventing business outages
- Maintaining customer trust and company reputation
- Protecting the company’s innovations and trade secrets
- Complying with IT security requirements
If their current main objective is to ensure compliance with updated industry cybersecurity requirements, you should tailor your report accordingly. Show whether or not your organization complies with the requirements and if so, how. If it doesn’t, show how you are planning to ensure compliance and specify what your security team needs in order to meet the IT requirements.
2. Speak their language
Adapt your report to the language of the audience to make sure your message lands. Try to simplify your language as much as possible by avoiding technical and cybersecurity jargon. Using full names and descriptions instead of acronyms that are unfamiliar to board members can also facilitate communication.
Besides choosing the right words, make sure you present information in a business-like manner. For instance, instead of describing what to secure and how, explain what value a certain security process or tool will bring to the business. When presenting metrics, point out how they’ve changed over time to illustrate how specific areas of security improved or worsened.
Make use of visuals during your presentations. Employ dedicated tools to present data in schemes, diagrams, and graphics to make it easier for board members to comprehend.
3. Justify the implementation of new security measures
Without proper justification, executives may not be willing to invest more resources in cybersecurity. When you need to establish new security processes or deploy more tools, show the board how those processes and tools align with your organization’s current goals and objectives.
Demonstrate that new security measures can help comply with cybersecurity requirements, avoid fines and legal issues, prevent revenue or reputational losses, and/or reduce the risks of security incidents. Thus, the executive board will be more eager to provide you with the required resources.
4. Quantify cybersecurity data
Members of the executive board may have trouble understanding technical terms, but what they do understand well are metrics like revenue and ROI. When delivering your reports to the board, make sure to emphasize the business outcomes of certain cyber risks or security measures and how they may impact the organization’s revenue or margin. You may want to seek assistance from the CFO or other financial specialists in your organization to back up your statements.
Make sure your reports are specific and to the point. Instead of saying “We deployed a tool to minimize the risks of insider threats and data breaches,” you can say “We spent $200,000 on a product to help us prevent up to $2 million in losses caused by data breaches and non-compliance fines.”
5. Keep reports brief
During your presentation to the board, you may be tempted to share as many insights as possible. However, it’s best to demonstrate only the most significant aspects without delving into too much detail. Lengthy presentations don’t receive due attention and focus from board members which is often vital to achieve what CISOs aim for.
Focus on the bigger picture to keep the board’s attention, and provide details only when necessary. Emphasize the potential influence of security incidents on innovation, productivity, revenue, and the reputation of the company, while briefly describing IT controls and processes.
6. Be ready for objections and questions
Members of the executive board should and will ask questions during your presentation. Some of the most common questions are:
- What steps do we take with the evolving threat landscape?
- How do we manage risk related to our third parties and suppliers?
- Are we able to rapidly contain damages and mobilize response resources when a cyber incident occurs?
- Do we have a tested incident response strategy?
- How does our security program align with industry regulatory requirements?
However, these are just a few examples. Questions often depend on what the board is most concerned about at the moment. For instance, if the board previously allocated additional finances to cover a certain security gap, they might ask whether that gap was successfully eliminated. Or, if there’s a particular type of attack that companies from your industry often fall victim to, they might ask you about the measures you take to keep those attacks at bay.
Prepare strong arguments in favor of your proposals as not all of them will be approved by the board. Make sure to listen attentively to their objections and concerns and address them.
7. Prepare thoroughly
When reporting to the board, you should demonstrate that the security strategy you’re implementing or planning to implement is not just a random suggestion but has a logical basis and precedent.
To achieve this, you’ll need to meticulously study and analyze your organization’s cybersecurity and then present adequate justification for each of your decisions during the board meeting. To make preparations easier, make sure to always document and regularly update:
- Security procedures established in your organization
- KPIs for security measures
- A well-thought security plan
However, performing a proper audit and analysis of organizational security might be challenging without a dedicated technological solution. Read on to find out how Ekran System can help you with this matter.
How can Ekran System help you report to the board?
Ekran System is a comprehensive insider risk management platform that enables detailed analysis of the organization’s internal cyber environment and helps the CISO communicate with board executives more efficiently.
Ekran System offers a diverse range of inbuilt user activity reporting and auditing capabilities that can provide you with insights on application usage, user productivity, triggered security alerts, unusual user sessions, and much more. You can choose from more than 20 report types to accurately analyze the organization’s internal security environment.
Ekran System’s Report Generator
With the help of Data Connector and API, you can seamlessly integrate Ekran System with Microsoft Power BI. Hence, you will be able to present insightful data collected by Ekran System with straightforward, interactive graphics, making your reports to the executive board crystal clear.
Reports powered by Ekran System’s integration with Microsoft Power BI
You can leverage Ekran System’s activity monitoring capabilities during penetration testing to watch how your employees are performing in real time. Record user sessions and present them at board meetings when demonstrating the testing results.
Ekran System’s screen recording can also help you capture insider-caused cybersecurity incidents happening within your organization. You can use those records as arguments to justify funding certain security measures.
Apart from facilitating the reporting process, Ekran System provides features to help you ensure the security of your organization’s critical endpoints and sensitive data. These features include:
- User identity management
- Continuous user activity monitoring (UAM)
- Privileged access management (PAM)
- User and entity behavior analytics (UEBA)
- Automated incident response
It’s ultimately up to CISOs to regularly and comprehensively convey the significance of cybersecurity to the executive board. Failure on your part to do so could result in your cybersecurity initiatives not receiving sufficient attention and/or funding, and can lead to negative impacts on the security and reputation of your organization.
Follow our best practices on reporting cybersecurity to the board for CISOs in combination with Ekran System’s reporting and auditing capabilities to simplify communication with your board of directors.
and test its capabilities in your IT infrastructure!