On Cyber Security, Boards and Chief IT Executives Must Speak Same Language

Kim-DeCarlis-Photo

As published inThe Economist Intelligence UnitOctober 5, 2016

By Kim DeCarlis, CMO, Imperva

As threats mount, cyber security has become top of mind for a growing number of corporate boards. Directors and senior management worry that data breaches and thefts could damage their company’s growth prospects, bottom line and brand reputation. Increasingly, boards seek to ensure that strong programs are in place to respond to any incident and that their chief information security officers (CISOs) brief them regularly on cyber security.

Grasping the cyber security issue head-on – and not just via a bullet point or two in a report to prepare for a board meeting – is critical. Directors, of course, have a fiduciary responsibility to protect the company they serve. Cyber security-related litigation is increasing, and lawmakers and regulators seem primed to toughen oversight.

While boards recognize that it is both management’s and the CISO’s responsibility to protect a company’s data and applications, they must make sure of one crucial element when they communicate with their IT experts. They must understand each other’s language. Often, they don’t. A vast majority of directors aren’t tech-savvy and many CISOs don’t speak the language of business. Both boards and IT security professionals must discard their professional and technical lingo and speak plain English – and that can be a struggle.

In conversations with directors and IT leaders, it’s clear that this is a common occurrence: A CISO briefing the board will suddenly lapse into using IT jargon – an alphabet soup of terms from “asymmetric cryptography” to “zombie.” Directors, on the other hand, too often speak the language of an economist or an MBA.

What CISOs must realize is that directors want to know in plain terms the financial impact that a technology matter – whether a breach or an IT security expenditure – will have. They want to know what it will mean if the company doesn’t give IT more security personnel or budget to advance their cyber security portfolio. At the same time, CISOs must be able to follow a boardroom conversation.

Here is some advice that will help directors and IT security chiefs communicate more clearly as they tackle the complexities of cyber security.

For directors:

  • Do homework on the basics of information breaches and cyber security. Gain enough knowledge to be able to grasp what IT leaders are saying and to ask pertinent questions. This background information can come from other board members who have more experience on the topic, from security-related websites or from news outlets that regularly cover the steady drumbeat of breaches.
  • Find out the common ways cyber criminals, spies and hacktivists burrow into a target’s IT infrastructure and extract critical data, as they did in the high-profile breaches that compromised Anthem, Home Depot, Neiman Marcus, Sony and Target.
  • Ask for and review what peers are doing in the company’s industry, and keep an eye on the company’s competitors and their security postures.
  • Grasp the compliance issues that affect or could impact the company in the areas of security and privacy. A legal or government affairs resource in the company should be able to supply that.
  • Refrain from asking a CISO a binary question such as “Are we secure?” It’s unrealistic to think that any company can ever achieve a zero-risk state. There’s no guarantee a data breach will never occur. Instead, ask “Can major cyber threats be mitigated? Do we align with industry security practices? Are we in compliance with regulations and industry standards? How did we do in our last cyber incident response simulation?”

For CISOs:

  • Since a board presentation can trigger panic – and even kill a project or hurt a career if done poorly – look to experts such as industry analysts for guidance and download resources such as the Gartner Executive Briefing Toolkit for Security Strategy.
  • Think strategically and focus on the business, which means forego tech speak and relate the value of, say, a technology security purchase to risk mitigation, not ROI or TCO. For board members, risk tolerance, risk mitigation, brand reputation, business disruption and compliance are key.
  • Keep any written reports short, preferably under five pages, because directors are bombarded with many different materials. Be mindful of their attention span and consider presenting a crisp slide deck instead.
  • Remember that directors ask questions, if they don’t understand a slide or particular chart, so be prepared with a response for varied scenarios, especially the ones you hope they don’t Also avoid propagating fear, uncertainty and doubt. Credibility is essential.

In the end, much of the responsibility for effective communication rests with the CISO. But directors also have an obligation to ensure that a dialogue is open, honest and generates important and insightful knowledge. We have a series of informational discussions on ourblog, and hope you will join us in the conversation there.

Kim DeCarlis is chief marketing officer of Imperva, a leading provider of cyber security solutions that protect business-critical data and applications. Kim is a Board Member at Girls in Tech and Children’s Discovery Museum of San Jose. Follow Kim on Twitter @Kim_DeCarlis.