4 signs the CISO-board relationship is broken (and 3 ways to fix it)

Gaining the board's trust is key for elevating the security function to a strategic level. To do that, CISOs will need to get out of their technical comfort zone.

When veteran cybersecurity leader Christopher Hetner wanted to build up trust with his company’s board, he sought out his C-suite colleagues to first better understand their work and security needs.

“I had to build the trust with the business and understand their mindset, how the business operates and what drives profit and risk posture,” he says. He notes that while senior vice president of information security at Citigroup he physically sat alongside the CFO as the CFO worked to educate himself on what drove the company’s growth.

Hetner says such outreach is needed for security executives to move beyond the technical part of their role so they can better assist with their organization’s overall strategy and offer the kind of advice that the board will trust and value.

“CISOs are more comfortable with technical-driven metrics and having a technology dialogue with the board, so they’re not presenting to the board the business risk through an economic exposure. I wouldn’t discount the importance of some of the technical metrics, but you have to go with the ‘So what? factor,’ the ‘Here’s the downstream impact.’ That’s a different type of dialogue,” says Hetner, managing director of cyber-risk security consulting at Marsh and special advisor for cyber risk at the National Association of Corporate Directors (NACD). Hetner is also a former senior cybersecurity advisor to the chairman of the U.S. Securities and Exchange Commission.

Why trust matters

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!