Answers to Board Questions Should Educate, Engage
A new report, Cyber Board Communications & Metrics – Challenging Questions from the Boardroom, conducted by Kudelski Security in conjunction with its Client Advisory Council (CAC) found that despite improved communication methods to better inform nontechnical executive leaders, CISOs continue to struggle in conveying cyber risk to their boards of directors.
Board awareness has long been identified as a need across all industries. Boards need to better understand the cyber challenges their organizations face, which demands that they have confidence in their CISOs. Yet the CAC research confirmed its hypothesis that CISOs need to better communicate so that what they convey to both their counterparts and their boards about programs and initiatives is meaningful.
CISOs spend an average of 10-20 hours preparing their responses to the often asked question, “Are we secure?” The report found that time spend does not translate to conveying information clearly, so it also sets forth ways to help CISOs measure and report on security priorities and increase organizational support for security initiatives by looking at the top questions CISOs face.
"Working together we conducted extensive research to present the opinions and experiences of CISOs from organizations of all types to help the broader industry. Our belief is that we can all benefit from the shared experiences of proven leaders and learn how we can challenge the status quo to impact real change in our industry. We thank each of our council members for their tireless support," Rich Fennessy, CEO, Kudelski Security, said in a press release.
“Get to know your board members, their backgrounds, the current boards they serve on…the more you understand the board members, the better you’ll be able to communicate with them,” the report said.
Additional tips include creating a presentation that resonates with the board that should both educate and engage. CISOs should keep the focus on context, the report advised, conveying stories with business relevance and providing examples that reveal the bigger picture.
“Tell the board the story the way they want to hear it,” the report said. “The most productive board interactions happen when presentations become conversations.”
Source: Information Security Magazine