CISOs facing boards need better business, communication skills

As information security becomes a more important topic of interest, CISOs are increasingly asked to step up and brief boards on cyber issues

1 2 Page 2
Page 2 of 2

"The board becomes very receptive to that because they see the business content, because the marketing team is on board," he said. "Here's the net benefit to the company. That's how I've approached bringing things that are more company strategic."

It can be hard to justify technology costs by focusing purely on the security benefits, he said.

"Fear mongering, although helpful at one time to garner support, today leads to only short-term support and ultimately undermines CISO credibility," said Adam Vincent, CEO at security firm ThreatConnect. "Instead, the CISO should focus on clearly communicating strategic risks to the business and what is being done to mitigate the risk."

For example, CISOs might be able to get more money for their security projects by attributing the costs to the business unit or organization that will benefit from them, instead of asking for funding in one lump sum, said David Shearer, executive director at International Information Systems Security Certification Consortium.

"CISOs need to bridge the gap between the technical aspects of the information security program and the business value board members are looking for from investments," he said.

For example, when Jason Thomas, CIO at Ruston, La.,-based Green Clinic, was pitching consolidated user accounts to his board of directors, he didn't pitch it as a costly new security project.

Instead, he pitched as a way for doctors to be able to log in to all their systems with just one user name and password, so that they could stop worrying about security, and focus more on their patients.

"That's a business simplifier," he said.

His board, mostly composed of medical professionals, is worried about security, he added.

"But it's a difficult situation because you're trying to educate them without giving them fatigue," he said. "You have to have a light touch with security, and not freak them out."

Whenever a project can be pitched as a business benefit or competitive advantage, that helps, he added.

New success metrics needed

Eric Cole, Fellow at SANS Institute, said that he's regularly seeing CISO becoming equal to the CIO and reporting to a risk executive, or directly to the board.

"It's security that keeps executives up at night, not IT infrastructure," he said.

Many boards don't know what to look for in a CISO, and how to tell whether a CISO has been doing a good job or not, he said.

"The problem is the metric the board is using today, is if you don't have a breach, then security is doing its job," he said. "And that's a very dangerous metric because we know that everybody will have a breach."

[ ALSO: How to Talk to the Board of Directors ]

Then, once a breach happens, someone falls on their sword -- and that someone is the CISO.

"If you're going to be a CISO in the near future, keep your resume updated, because you're going to be moving around for a few jobs," Cole said. "CISOs are like NFL coaches -- they don't go away, they just go from team to team."

"We've seen CISOs fired after a high profile breach has occurred," said Frank Mong, vice president of solutions for HP Security. "With the level of stress and risk taken on by CISOs today, there is a high rate of burnout. The role of the CISO is no walk in the park."

But there is a way out, said SANS Institute's Cole said.

New CISOs need to start by educating their boards about the relative costs of risks.

How much would perfect security cost? How much can the company actually afford? What risks is it willing to take?

"You have to understand the risk appetite of the executive team," Cole said. "Then you need to define clear metrics for security that they can understand."

Joining the board

There is one more step that corporate boards can take to improve security -- bring a security expert onto their board.

"I think we're going to increasingly see search committees looking for directors who can demonstrate particular technology competencies," said Gerry Stegmaier, partner in the privacy and data security practice at Goodwin Procter LLP.

Earlier this year, for example, Wells Fargo elected retired Air Force Maj. Gen. and commander Suzanne Vautrinot to its board of directors. At Air Forces Cyber, she oversaw a multi-billion dollar global cyber enterprise with 14,000 military, civilians, and contractors.

"This topic has become so important that in a few cases, we've even seen federal regulators encourage boards to add more cyber expertise to the board," said Jim Jaeger, chief cyber services strategist at Fidelis Cybersecurity.

1 2 Page 2
Page 2 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!