What The Board Wants CISOs to Know

Since its publication on April 18, the inaugural Cyber Balance Sheet Report has had executives and cyber professionals worldwide discussing and evaluating their security capabilities with a new perspective. Detailed in the report are the opinions of nearly 100 CISOs and executives on the best practices for productively discussing cyber risk in the boardroom. In addition to the raw data, the report gathers memorable quotes coming from both sides of the table, showing what each party is willing to say to a researcher, but may not be willing to say to each other. We’ve highlighted a few poignant quotes below (read the full report here):

“Directors come away with the overwhelming impression that no matter how much money they spend on security, they’re still going to get breached.”

• The Cyber Balance Sheet Report found that Board members often lack confidence in their security programs’ effectiveness (see below). It’s important to show the Board that you can reliably and consistently meet measurable goals, quarter-over-quarter or year-over-year. Coupled with a risk-based assessment of your program (preferably against a respected external framework), you’ll have the reporting metrics needed to instill confidence. 

“Nobody cares about how many packets your firewall blocked. If security reporting doesn’t reflect business goals, you’re doing it wrong.”

• The exact details of your security program’s day-to-day operations are interesting for you and your security team, but they mean far less to the Board. Speak in terms that the Board will understand. How does this help the business meet its goals? Does it improve the bottom line? Does it make the Board members’ jobs easier?

“Use two ears vs. one mouth. As much as you know infosec, they know the business. Your job is not telling them what to do but helping them with what they want to do.”

• The Board is interested in advancing the business, not your security operations. The conversations should be framed around business goals. Don’t tell the Board what you wish you could do, or what you’d be able to do with more funding. Show them what they’re getting and illustrate that outcome in business terms.

In order to communicate most effectively with the Board, CISOs need a way to organize and represent the cyber assets, capabilities, and liabilities of their organization. A Cyber Balance Sheet is one possible way to reframe the Boardroom conversation around cyber risk.  The Cyber Balance Sheet Report shows you how to get you started. Download the full report below.

The Cyber Balance Sheet Report is sponsored by Focal Point Data Risk and independently researched by the Cyentia Institute. The Report comes as a result of the first annual Cyber Balance Sheet Summit that was held in New York City in January 2017.

Interested in attending the next Cyber Balance Sheet Summit? Click here for more information and to request your invite.