Selim Aissi, CISO at software company Ellie Mae, saw it as confirmation of his role as trusted adviser when one of his company’s board members texted him late one night a few years ago.
The director wanted to better understand NotPetya, the devastating ransomware attack that was beginning to make headlines at the time. Aissi followed up the text with a phone call, during which he and the director talked about the news-making malware.
Although it wasn’t the first or last time a board member sought out his insights, Aissi says the director’s comfort in initiating that conversation illustrated for Aissi that he had a strong relationship with the board.
“That was my first big a-ah moment,” Aissi adds.
Security in the past five years has become a board-level concern, elevated from an operational issue to a strategic one – a change that has CISOs increasingly presenting to board members.
Yet Aissi and others say scheduled presentations shouldn’t be the only interaction CISOs have with the board. Instead, they recommend security executives cultivate relationships with board members so that both sides better understand how security and organizational objectives intertwine.
“The first time you’re calling the board should not be when you have an incident. There should be an ongoing dialogue, there should be an ongoing relationship,” says Nicole Monteforte, a vice president at the management and IT consulting firm Booz Allen Hamilton.
The stakes are high: A January 2020 report from Booz Allen Hamilton and the UC Berkley Center for Long-Term Cybersecurity, found that many boards regard cybersecurity risk as an “existential threat” but aren’t confident they have the information and processes to provide effective governance.
Building relationships takes more than delivering great presentations, and it draws on a range of networking and interpersonal skills. Here Aissi and others share their strategies for creating better rapports with corporate directors.