Connecting with your board of directors
An essential for success as a cybersecurity leader
A cybersecurity leader benefits from strong connections with key business leaders in their company – especially the CIO, General Counsel, Head of Internal Audit, CFO, and CEO. The role has evolved to be a fixture in front of the board in most high risk organizations, and developing that relationship is also crucial to your success.
Support from your board can influence investment and priority decisions made by senior leadership, and their support also sends a strong message to the organization - tone is set from the top. The cybersecurity guidelines released by the SEC last year are pushing boards to become more engaged in cybersecurity oversight – so your board should want to develop this connection as much as you.
I have been briefing boards on cybersecurity going back almost 30 years, and now serve on boards – so I have seen the relationship from both sides of the table. Here are my suggestions for building a strong connection with your board:
· Understand the role of a board – The board is not part of management; they provide oversight of management. They have a fiduciary responsibility to stakeholders to ensure management is taking appropriate, legal, and ethical actions to address risks such as cybersecurity. While each board is unique, in general this means an update to your board is different from a meeting with senior management. It should be at a higher level and focus on the big picture of risk.
· Know who is on your board – Read their bios to understand their background, technical acumen, and focus, and adjust your language and message accordingly. Do any of your board members have a background in technology or cyber? Unfortunately, very few boards have any directors that do, so you may need to devote effort to building their knowledge over time.
· Speak the board’s language – Knowing the role and makeup of your board, speak their language and frame your message to fit their needs. Do not use acronyms and cyber-speak they will not follow, and frame your message in terms of financial and business impacts.
What does a board want to know? In general, your board wants to know:
What are our biggest risks - How does cyber threaten our business objectives and crown jewels? What are the potential impacts to operations, finances, and reputation?
Are we taking appropriate action to mitigate the risks – following a framework, aligning with the business, making appropriate progress?
What are our next steps – do we have gaps, and what actions are we taking to address them?
An engaged and forward thinking board is also going to want to know - what obstacles are you encountering, and where do you need help?
Meeting with your board
Think through your goal for the meeting: What story do you want to tell? It might be to:
Build understanding of your program - risks, the purpose and strategy of your program, and how you align with and enable business goals
Get attention or make a call to action - asking for priority, help, or resources
Relay information - A status update, describing an incident, or touting key progress
The 2023 SEC cybersecurity guidelines and subsequent charges against SolarWinds, although mostly dismissed, send a clear mandate for transparency in your messaging to the board. It is critical that the cybersecurity leader tells it like it is and is not sugarcoating their message. That means being factual on risks, progress, and gaps.
Use real examples to provide credibility: As CSO in healthcare, being able to point to other healthcare providers having patient care systems shut down for weeks at a time by ransomware attacks got our board’s complete attention and support. Our cybersecurity risk was no longer theoretical to them, and they knew we could be next if we did not do the right things.
Prime the pump: Can you include a one-pager in the board’s advance materials for pre-reading to save time, educate, and possibly spur questions? If you can, make it a standard part of the board “book” to include a one pager on a key topic – such as the latest ransomware attacks, what happened with CrowdStrike, increasing risks from Phishing due to AI, etc. It is an opportunity to develop their understanding and also get them thinking about cyber before your meeting.
Develop supporting allies in the boardroom – the CIO, head of Internal Audit, General Counsel, and CFO may be in the room for your updates. Is there time to pre-brief them so they understand your key points and can support you on board questions?
Get feedback: Ask someone attending (one of your allies listed above) to provide you feedback after the meeting, so you can improve each time.
One more suggestion: Host a tabletop exercise for the board. This takes real commitment from your board, but we did it at my last company and it was a game-changer for their understanding and engagement. You will need your CEO’s support, and then ideally a champion on the board to push for it, but it is time well-spent.
Taking thoughtful steps like these will develop your relationship with the board – their comfort level meeting with you and your comfort level meeting with them. That is a difference maker for your program.