Should CISOs be expected to explain everything to the board in the language of the business, or does the board need to make an effort to learn the language of tech/security?

2.3k viewscircle icon4 Upvotescircle icon15 Comments
Sort by:
Vice President of Information and Security in Manufacturing4 years ago

In today's ever-changing market, the CISO should be able to communicate and connect with the board regarding cybersecurity risks, mitigation, and the maturity level of the security platform within business-speak.  The CISO security expert and needs to be able to transfer in a language the board can understand.

Director of IT in Finance (non-banking)4 years ago

effort should be made

Director of Technology Strategy in Services (non-Government)4 years ago

I feel that it's on both to make an effort to understand the perspective of the other side.

But the CISO should be making sure their message is as easy to understand as possible.

Lightbulb on2
Managing Partner & CISO in Software4 years ago

When I was at JP, for big clients we would fly in to coach their boards. I don't even know how many boards we have coached, all public companies. What I found to be really, really interesting is that, when you talk to a board member and they literally don't have the context of an API, it's impossible to understand what the business actually does anymore. Everything is out of the window because every company today is either in data or moving into a dramatic digital ecosystem. The technology rate is moving so fast. And that's why I do think there's a big value of being able to simplify it for lay people. But fundamentally, we have a fake conversation. We talk about cybersecurity like, "Hey, we can have zero cyber incidents," right? The risk tolerance is like, "Hey, we don't want any." But at JP Morgan, we wrote off $2 billion a year in fraud losses. We were okay throwing away $2 billion a year in fraud, but we're going to have a tolerance for zero catastrophe... There is a tolerance that you have to accept.

Lightbulb on1 circle icon4 Replies
no title4 years ago

Absolutely. Yeah.

no title4 years ago

API, they probably should be learning that. Anybody who goes in and can say with a straight face to the board that there'll be zero cyber incidents is in the wrong business. They should be in acting, and they'll be very good at that. Any board who takes that statement at face value and doesn't question the person is probably not doing a great job. It's not a question of if, it's a question of when.

Member Board of Directors in Finance (non-banking)4 years ago

I think it's so important for CISOs, CIOs to communicate in terms of business risk and business impact and then probability of the cyber event actually occuring. I spend a lot of time actually helping translate and educate technology executives on how you speak to the board, having been on both sides of the equation. So, in companies that understand the challenge, if the board is paying attention, I can assure you that there will be resources and budget allocated to this particular problem. And this is where, I think, CISOs come in. Great CISOs have an ability to explain in layman terms the risk that the company is taking, and risks of not plugging certain deficiencies from the cybersecurity perspective. It really depends on what the priorities of the company are and how you are able to articulate risks that the company is taking from the cybersecurity perspective. So your board members could understand, your CEO could understand if the person is not a technologist.

6 Replies
no title4 years ago

Marina, while I completely agree with you on a lot of it, I think that boards are lazy. They're not doing their job. And they are not doing what they should be doing, which is learning the language of security, because any of us going into a board, we have to understand EBITDA, net income, gross margin. If we don't understand that, they think we're schmucks. The board understands key legal issues, right? They also understand what an SQL is, an MQL is. Those are marketing acronyms. So why can't they learn the security acronyms? I think they have to walk towards us and we have to walk towards them to really change the dynamics more broadly on it.

no title4 years ago

I think the way boards solve this issue, they bring people like you and me to sit at the table and actually help. I think they find that this is a better way than for the old dog to learn new tricks.

Content you might like

Targeted emails44%

Org-wide newsletters61%

Lunch & learn sessions49%

Posters, desktop screen-savers/wallpapers37%

Security champions across all lines of business19%

Other (please specify)1%

View Results

Taking a course37%

Attending a conference46%

Undertaking special projects55%

Shadowing colleagues37%

Taking on new duties44%

Reading industry texts22%

Training or mentoring others30%

Being part of a professional body18%

Networking23%

Other (please list in the comments)

View Results