Cybersecurity in the Boardroom

A CISO Playbook for Engaging C-suite Executives

It has become somewhat cliche to say that cybersecurity is no longer exclusively an IT job, but needs to be a company-wide effort. But the reality is that CISOs are both the newest C-level executives and the least understood. According to recent estimates, by 2022, only 5% of CISOs will report security metrics that are useful for senior executives. On the other hand, the majority of CISOs report that their corporate boards are not actively involved in security operations. To combat this silo effect, current CISOs should be using the board meetings as an opportunity to build bridges between their own work and the rest of the board. Here are four proven strategies for engaging your fellow C-suite executives:

1. Come Prepared with Key Performance Indicators (KPIs)
As opposed to traditional business roles, the real value-add of cybersecurity is measured by what doesn't occur. And so, naturally, persuading board members that your actual value to the overall health of the company is far greater than providing compliance and troubleshooting may be a hard sell. After all, the CFO is trained to think in terms of historical ROI and growth metrics, so when you proudly announce that you spent the entirety of your allocated budget and got... nothing, you may as well be speaking gibberish.

Instead, come to the meeting prepared with carefully chosen KPIs that quantifiably and objectively track your progress. In fact, you can initially develop your KPIs in collaboration with the other board members so that everyone is on the same page from day one. One KPI that we at Silent Breach have found to be particularly attention-grabbing is a performance comparison against industry peers and competitors. No executive wants to hear that they're lagging behind their competitor, so this is a surefire way of leveraging their competitive nature to achieve your own goals!

2. Use Real World Examples
When asked about the single most important cybersecurity advice for CEOs, Robert Herjavec replied, "Understand the world you live in." For too long, executives have viewed cybersecurity as something which is somewhat disconnected from the core business. Sure, it's important to have a cybersecurity team, but does it really affect the bottom line? Over the past few years the answer has become an undeniable yes.

For example, Silent Breach projects that the costs of cybercrime will double by 2021 to $6 trillion. To put that in perspective, cybercrime will soon be more profitable than the global trade of all of the main illegal drugs combined.

Let's take a look at the healthcare industry. Recent estimates have set the cost of an average cyberattack at a staggering $1.4 million, with 44% of healthcare organizations falling victim to a ransomware or crypto-mining attack, and 14% reportedly experiencing both. Now, if that doesn't affect the bottom line, then I'm not sure what does.

Turning to local government, in June 2019 alone, two Florida cities paid out over $1 million in ransom to regain control over their systems. For those who instead choose to fight the hackers, the results can be even more dire: the city of Baltimore has already spent $18 million in the last few months instead of bowing to a $60,000 ransom. And the list goes on.

The truth is that most organizations are incredibly ill-prepared in the event of a breach, and this lack of preparedness will almost always translate into a serious financial loss. Leveraging these stories will go a long way in conveying to the board the true scale and ramifications of cyberattacks.

3. Understand Who You're Talking To
Just like some of the other board members may not agree with or even fully understand your priorities, you probably could do a better job of learning about their work and the perspective they've cultivated. When was the last time that you've discussed a recent ad campaign with the CMO, or dug into the quarterly financials with your CFO? The first step you can take to capture your colleagues' interest and respect is to show an equal amount of engagement in return. And who knows? Maybe you'll even learn a thing or two in the process.

At Silent Breach, we strongly believe that cybersecurity is a mindset rather than any silver bullet solutions. We work with our clients to foster a culture of vigilance which filters through to each department. Just like each industry requires a tailored approach, each department represents a unique security challenge. Accordingly, sustained communication will always be key to any robust cybersecurity strategy.

4. Speak Their Language
Gartner's recent Security and Risk Trends for 2019 begins with the following slide presented by the CISO of a national transportation system during a board meeting:

"This organization has no appetite for safety risk exposure that could result in injury or loss of life to the public, passengers or the workforce. All safety targets are met and improved year over year. We are willing to accept risks that may result in financial loss. The company will only tolerate low to moderate gross risk exposure in the delivery of operational performance network reliability and capacity and asset condition."

The ability of CISOs to translate technical issues into business jargon, such as Risk Appetite Statements, will be the defining security trend of 2019. In crucial ways it will be cultural adjustments such as these that will provide the sorely needed expenditure increases in cybersecurity.

Implementing these changes in inter-departmental dialogue won't come overnight. But any CISO who sincerely and persistently embraces these proven techniques for boardroom communication will find that their fellow C-suite execs won't respond with begrudging acquiescence, but will grow to embrace cybersecurity as a critical component of any comprehensive business strategy.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.