Should CISOs be expected to explain everything to the board in the language of the business, or does the board need to make an effort to learn the language of tech/security?

People & Leadership Security & GRC Security Operations Center (SOC)+4 more

2.3k views4 Upvotes15 Comments

Member Board of Directors in Finance (non-banking), 201 - 500 employees

I think it's so important for CISOs, CIOs to communicate in terms of business risk and business impact and then probability of the cyber event actually occuring. I spend a lot of time actually helping translate and educate technology executives on how you speak to the board, having been on both sides of the equation. So, in companies that understand the challenge, if the board is paying attention, I can assure you that there will be resources and budget allocated to this particular problem. And this is where, I think, CISOs come in. Great CISOs have an ability to explain in layman terms the risk that the company is taking, and risks of not plugging certain deficiencies from the cybersecurity perspective. It really depends on what the priorities of the company are and how you are able to articulate risks that the company is taking from the cybersecurity perspective. So your board members could understand, your CEO could understand if the person is not a technologist.

6 Replies

Board Member, Advisor, Executive Coach in Software, Self-employed

Marina, while I completely agree with you on a lot of it, I think that boards are lazy. They're not doing their job. And they are not doing what they should be doing, which is learning the language of security, because any of us going into a board, we have to understand EBITDA, net income, gross margin. If we don't understand that, they think we're schmucks. The board understands key legal issues, right? They also understand what an SQL is, an MQL is. Those are marketing acronyms. So why can't they learn the security acronyms? I think they have to walk towards us and we have to walk towards them to really change the dynamics more broadly on it.

Member Board of Directors in Finance (non-banking), 201 - 500 employees

I think the way boards solve this issue, they bring people like you and me to sit at the table and actually help. I think they find that this is a better way than for the old dog to learn new tricks.

Board Member, Advisor, Executive Coach in Software, Self-employed

It's the lazy path.

Managing Partner & CISO in Software, 11 - 50 employees

When I was at JP, for big clients we would fly in to coach their boards. I don't even know how many boards we have coached, all public companies. What I found to be really, really interesting is that, when you talk to a board member and they literally don't have the context of an API, it's impossible to understand what the business actually does anymore. Everything is out of the window because every company today is either in data or moving into a dramatic digital ecosystem. The technology rate is moving so fast. And that's why I do think there's a big value of being able to simplify it for lay people. But fundamentally, we have a fake conversation. We talk about cybersecurity like, "Hey, we can have zero cyber incidents," right? The risk tolerance is like, "Hey, we don't want any." But at JP Morgan, we wrote off $2 billion a year in fraud losses. We were okay throwing away $2 billion a year in fraud, but we're going to have a tolerance for zero catastrophe... There is a tolerance that you have to accept.

1 4 Replies

Member Board of Directors in Finance (non-banking), 201 - 500 employees

Absolutely. Yeah.

CIO in Software, 5,001 - 10,000 employees

API, they probably should be learning that. Anybody who goes in and can say with a straight face to the board that there'll be zero cyber incidents is in the wrong business. They should be in acting, and they'll be very good at that. Any board who takes that statement at face value and doesn't question the person is probably not doing a great job. It's not a question of if, it's a question of when.

Board Member, Advisor, Executive Coach in Software, Self-employed

Because you can't eliminate risk, physically, logically, cyber, right? That's the basic rule.

Director of Technology Strategy in Services (non-Government), 2 - 10 employees

I feel that it's on both to make an effort to understand the perspective of the other side.

But the CISO should be making sure their message is as easy to understand as possible.

Director of IT in Finance (non-banking), Self-employed

effort should be made

Chief Information Officer in Manufacturing, 10,001+ employees

In today's ever-changing market, the CISO should be able to communicate and connect with the board regarding cybersecurity risks, mitigation, and the maturity level of the security platform within business-speak. The CISO security expert and needs to be able to transfer in a language the board can understand.

Content you might like

Which EDR has less false positives?

Security & GRC IT Strategy & Roadmap Security Strategy & Roadmap

crowd strike38%

sentinel one56%

carbon black5%

cynet0%

39 PARTICIPANTS

269 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & Leadership Strategy & Architecture Cloud +57 more

CTO in Software, 201 - 500 employees

Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

142 19 Replies