Should CISOs be expected to explain everything to the board in the language of the business, or does the board need to make an effort to learn the language of tech/security?
Sort by:
effort should be made
I feel that it's on both to make an effort to understand the perspective of the other side.
But the CISO should be making sure their message is as easy to understand as possible.
When I was at JP, for big clients we would fly in to coach their boards. I don't even know how many boards we have coached, all public companies. What I found to be really, really interesting is that, when you talk to a board member and they literally don't have the context of an API, it's impossible to understand what the business actually does anymore. Everything is out of the window because every company today is either in data or moving into a dramatic digital ecosystem. The technology rate is moving so fast. And that's why I do think there's a big value of being able to simplify it for lay people. But fundamentally, we have a fake conversation. We talk about cybersecurity like, "Hey, we can have zero cyber incidents," right? The risk tolerance is like, "Hey, we don't want any." But at JP Morgan, we wrote off $2 billion a year in fraud losses. We were okay throwing away $2 billion a year in fraud, but we're going to have a tolerance for zero catastrophe... There is a tolerance that you have to accept.
Absolutely. Yeah.
API, they probably should be learning that. Anybody who goes in and can say with a straight face to the board that there'll be zero cyber incidents is in the wrong business. They should be in acting, and they'll be very good at that. Any board who takes that statement at face value and doesn't question the person is probably not doing a great job. It's not a question of if, it's a question of when.
I think it's so important for CISOs, CIOs to communicate in terms of business risk and business impact and then probability of the cyber event actually occuring. I spend a lot of time actually helping translate and educate technology executives on how you speak to the board, having been on both sides of the equation. So, in companies that understand the challenge, if the board is paying attention, I can assure you that there will be resources and budget allocated to this particular problem. And this is where, I think, CISOs come in. Great CISOs have an ability to explain in layman terms the risk that the company is taking, and risks of not plugging certain deficiencies from the cybersecurity perspective. It really depends on what the priorities of the company are and how you are able to articulate risks that the company is taking from the cybersecurity perspective. So your board members could understand, your CEO could understand if the person is not a technologist.
Marina, while I completely agree with you on a lot of it, I think that boards are lazy. They're not doing their job. And they are not doing what they should be doing, which is learning the language of security, because any of us going into a board, we have to understand EBITDA, net income, gross margin. If we don't understand that, they think we're schmucks. The board understands key legal issues, right? They also understand what an SQL is, an MQL is. Those are marketing acronyms. So why can't they learn the security acronyms? I think they have to walk towards us and we have to walk towards them to really change the dynamics more broadly on it.
I think the way boards solve this issue, they bring people like you and me to sit at the table and actually help. I think they find that this is a better way than for the old dog to learn new tricks.
In today's ever-changing market, the CISO should be able to communicate and connect with the board regarding cybersecurity risks, mitigation, and the maturity level of the security platform within business-speak. The CISO security expert and needs to be able to transfer in a language the board can understand.