Ask any business leader what their top-level concerns are, and cybersecurity will almost certainly be at or near the top. The average cost of a data breach now sits at $5 million, and that number continues to tick upward with each passing year. Adding to the severity of security, the frequency of attacks is also rising. Ransomware attacks alone have risen more than 80% in the past year, highlighting that adversaries are still finding success with tried-and-true tactics. Phishing and other social engineering tactics are also on the rise as attackers adjust their strategies to focus on not just technology, but human beings as well.  

With that in mind, you might expect CISOs to play a more prominent role in shaping the future of the business — but that isn’t always the case. My conversations with other CISOs have revealed that CISOs can generally expect to spend about six minutes speaking with corporate boards in a given quarter. That’s not a lot of time, which means CISOs need to make their points efficiently and effectively. GRC expertise with a Rolodex of security acronyms isn’t going to help  — today’s CISOs must be able to speak to board members and other business leaders in language that resonates with them. However, with CEOs, COOs and other executives increasingly coming under fire when breaches happen, boards are starting to pay more attention to cybersecurity. CISOs must take advantage by making the most of their limited time with effective and informative messaging. 

How CISOs Interact With Corporate Boards 

The unfortunate truth is that most corporate boards have a very low level of cybersecurity literacy. That’s not intended as a knock, by the way—just an acknowledgment that board members generally get where they are not because they’re security experts, but because they’re business experts. Some are finance-focused, and some are sales-focused. Either way, their primary concern is how much money the business is bringing in, with cybersecurity investments much further down the list. They want to hear from the CEO, the CFO and the CMO. When the CISO walks through the door, that’s often when board members start scrolling on their phones. 

That means CISOs can’t afford to beat around the bush. Meetings with the board are very important for security professionals. After all, the board sets the risk appetite for the company, and the C-Suite executes that vision. And remember, that risk tolerance will almost certainly change over time. During a business’s startup phase, the board will likely have a high-risk tolerance. New businesses can’t afford to be conservative—they need to take big swings to secure customers and funding. A business that doesn’t take any risks probably isn’t making it past year one. But as companies mature (and especially as they approach a sale or IPO), risk tolerance will drop. No business wants to expose substantial risks during due diligence and give negotiation leverage to the buyer. 

That puts the CISO in an advantageous position because the CISO is the one person who can explain to the board what their risk posture is. A good CISO should be able to break down where the company is engaged in risky behavior and where it is not, helping the board better understand where they can afford to take additional risks and where they may need to reign things in. If the company’s engineering lead is extremely conservative during the startup phase, the board may want to prod them to take additional risks. On the other hand, if the sales team is playing fast and loose with customer data, the board may want to put a stop to that. The CISO plays a critical role in giving them the information they need to make risk-based growth decisions. 

Making the Most of Your Six Minutes 

The question, then, is this: How does the CISO convey this information in just six minutes? And how do they do it in a way that doesn’t make board members’ eyes glaze over? 

In my experience, the best way to illustrate risk isn’t with static numbers. The biggest mistake is presenting a bunch of data that means nothing to the board. The average board member doesn’t know what a “risk score” is — and why would they? However, board members do understand how data is trending over time. Look at it this way: if I tell you the engineering department has a risk score of 70, it’s effectively meaningless. 70 what? Out of how many? Without context, it’s just a number. But if I tell you that the engineering department’s risk score has risen from 40 to 72 over the past three months and provide context for that increase, that tells a story. Now you understand that the engineering department is engaging in risky behavior and potentially putting the business in a precarious situation. For a board member, that context is critical. 

It also helps illustrate the organization’s needs more effectively. When it comes to risk, there are only three options: accept it, resource it, or escalate it. If the risk isn’t acceptable and you don’t have the resources to fix it, the only remaining option is escalation. And once a concern reaches the board level, there’s nowhere left to escalate. That means that if you’re a CISO and you need something from the board, you need to be able to clearly articulate it and the reasons for it. If you can show the board that one risk element is trending in the wrong direction and propose a straightforward solution, your odds of getting what you want will increase dramatically. That’s doubly true if you can illustrate that it will reduce the odds of a costly breach and improve the organization’s bottom line. 

One final note: it can be helpful to break down risk trends by department. Business executives are naturally competitive — that’s a big part of what makes them successful. If they can see that their fellow executives are effectively reducing risk month over month, the odds are good that it will spur them to similar action. No one wants to look bad—and no one wants to get reprimanded by the board, either. This also helps boards limit their own exposure and liability. If risks exist, it’s important to be able to show who is accepting those risks and at what time, so that if regulators arrive with questions there is a very clear paper trail illustrating when and by whom certain decisions were made. Certainly, no one wants to say “I told you so” when a vulnerability allows a catastrophic breach.  

Straightforward Communication is Key 

The truth is, I’ve been fortunate: Throughout my career, I’ve worked for cybersecurity companies where board members do have a relatively high level of technical expertise. Others may soon have that experience as well, as the SEC has recently begun implementing new rules that mandate a certain level of security knowledge among a company’s board members. But for most CISOs, making the most of their limited time with the board remains a challenge. Meeting board members where they are by presenting your findings in a straightforward manner that clearly illustrates the pattern of risk and how it can be addressed will help ensure you get what you need—whether you have six minutes or six hours.