Selim Aissi, CISO at software company Ellie Mae, saw it as confirmation of his role as trusted adviser when one of his company’s board members texted him late one night a few years ago.
The director wanted to better understand NotPetya, the devastating ransomware attack that was beginning to make headlines at the time. Aissi followed up the text with a phone call, during which he and the director talked about the news-making malware.
Although it wasn’t the first or last time a board member sought out his insights, Aissi says the director’s comfort in initiating that conversation illustrated for Aissi that he had a strong relationship with the board.
“That was my first big a-ah moment,” Aissi adds.
Security in the past five years has become a board-level concern, elevated from an operational issue to a strategic one – a change that has CISOs increasingly presenting to board members.
Yet Aissi and others say scheduled presentations shouldn’t be the only interaction CISOs have with the board. Instead, they recommend security executives cultivate relationships with board members so that both sides better understand how security and organizational objectives intertwine.
“The first time you’re calling the board should not be when you have an incident. There should be an ongoing dialogue, there should be an ongoing relationship,” says Nicole Monteforte, a vice president at the management and IT consulting firm Booz Allen Hamilton.
The stakes are high: A January 2020 report from Booz Allen Hamilton and the UC Berkley Center for Long-Term Cybersecurity, found that many boards regard cybersecurity risk as an “existential threat” but aren’t confident they have the information and processes to provide effective governance.
Building relationships takes more than delivering great presentations, and it draws on a range of networking and interpersonal skills. Here Aissi and others share their strategies for creating better rapports with corporate directors.
Start with strong business relationships
CISOs can’t expect to build strong bonds with the board if they’re not working well with their business colleagues, a situation that executive advisers say remains a common occurrence. “In many organizations, CISOs still allow themselves to get into an adversarial relationship with the business,” says Julian Waits, general manager of the cyber business unit at Devo, a data platform technology company, technology chair for the International Consortium of Minority Cybersecurity Professionals, and a board director with Lynx Technology Partners. He recommends that CISOs seeking more credibility with the board first ensure they’ve got that from their fellow C-suite executives, that they’re seen as business enablers and not hindrances. He adds, “The CISOs I’ve seen who are most successful [with board relationships] become business partners first.”
Study up on the board
Rudy Bakalav, vice president of cyber and digital transformation at Booz Allen Hamilton, suggests CISOs read analyst reports, annual reports, board meeting minutes and other such documents to understand what board members have on their agendas and how they’re planning to deal with those issues moving forward. He says CISOs can also glean from these reports a better appreciation of the imperatives facing the board and the business. “They are a proxy for what the board is thinking,” Bakalav says. Bryce Austin, a cybersecurity consultant and founder of TCE Strategy, a security services firm, took that approach as he cultivated relationships with board members when he was a CISO, saying he learned about their individual histories, their roles on the board, whether they served on boards at other companies, etc. “All that can give insight into where their minds are at,” Austin says.
Find opportunities to interact
Similarly, executive and board advisers tell CISOs to attend board events even when security issues aren’t on the agenda so they can simply listen, learn and take notes. Brian Haugli, partner and co-founder of consultancy SideChannelSec agrees, saying CISOs should also find opportunities to interact with board members outside of meetings, just as others in the C-suite are doing. That may mean attending the board dinners, making introductions when board members are on site, and initiating conversation during breaks between scheduled presentations.
Get on the same page as the board
Bakalav says boards owe it to their CISOs to be clear about what they want. “Everyone talks about how the CISO can do better, but I would suggest that this is really a joint responsibility. It’s very critical that the board has communicated clearly what their expectations are, what are the risks they’re willing to tolerate and which they’re not willing to tolerate, and be very clear about the status reporting and feedback that they expect to see,” he says. “And it’s important for the CISO to tailor the message and the various dashboards to be in line with the board’s expectations.”
If CISOs don’t have that alignment, Bakalav says they should seek it out. For example, as Aissi sought to build rapport with his board, he focused on delivering security information in constructive ways, aiming for transparency but also translating security into risk and business terms. He also worked with the board to develop a framework containing well-defined risks and metrics to be used at each presentation. “The board agreed I would share these key indicators every time I talked with them, and those measures don’t change, so they themselves can go back and check how we are doing today vs. a year ago,” he says.
Follow corporate protocols (and respect office politics)
Veteran executives and directors recommend CISOs work within the norms of corporate protocols when cultivating relationships with board members to avoid the appearance that they’re trying to go against or around the CEO, the CIO and other company leaders. Be respectful of office politics, says Valerie Abend, managing director of Accenture Security. “Don’t go outside the process, it never works well,” she adds. Abend says she has seen CISOs cultivate relationships with individual board members but then use those relationships to gripe about the budget or expose perceived problems. “Building relationships,” she explains, “is to provide information so the board can do its job of oversight, it’s not to get into the nitty-gritty of you vs. them.”
Don't go it alone
Aissi had presented to boards prior to becoming CISO at Ellie Mae in 2015 yet felt he could improve his presentations and his overtures to the directors. So he sought out people in his network, including two former CEOs serving on boards, who could guide him as he moved forward. “These were people who could offer insights on what could work,” Aissi says. “I’d talk to mentors, saying, ‘I’m working on how to explain risk to the board, is this the way to approach it? Will it work? Or here’s what I think I need to do to be successful in building a relationship with the board, does that make sense?’”
Many experts advise CISOs to get a sponsor to help navigate office politics and smooth introductions. “You don’t want to just call up the chairman of the board and say you want to meet. You have to figure out who’s the one who can get you in,” Haugli says. Look for a fellow executive who has an existing rapport with board members who seem tech-oriented or particularly interested in security issues and then ask that executive to help make connections.
Know what your board wants
CISOs need to draw on those same networking and interpersonal skills to gauge the reaction of the board and individual directors and to ascertain the level of rapport they want. Not all boards, or all members, will value a higher degree of interaction with the CISO. “It’s going to depend on the organization and how critical cyber is,” Monteforte says. “Ones where cyber is critical, that’s where the CISO should have an ongoing, consistent relationship and direct relationship with individual members or maybe even a committee like the audit committee.” On the other hand, CISOs who think the board would benefit from more interaction should work with the CEO to nudge the board in that direction, balancing that against pushing too hard. Bakalav says CISOs should be prepared to advocate for a stronger bond by saying, “Based on an analysis of our business, industry and bad guys, we think this is the right balance and how we should be thinking about our cyber function.”
Find a champion
Roger Hale, CISO-in-Residence at YL Ventures, says CISOs should cultivate a relationship with board members or other executives who can champion security in the boardroom, both when the CISO is present and when he or she is not. “Identify [individuals] who care about security and build the relationship with them,” he says, adding that they can also offer advice on giving effective presentations and effectively interacting with the board as a whole. Hale points to his own past experience, saying he found that the treasurer at a prior company was particularly interested in enterprise risk management and resiliency so he used that common interest to first build a relationship with him and then drew upon that connection to be more effective with the board.
Advocate for a security-focused committee
Although boards already have a number of committees, one of which typically tackles security, Aissi says he felt his company would benefit from having a cyber committee with whom he could more closely interact. So he successfully lobbied for its creation, working with the company president and CEO to establish the new entity. So, in addition to engaging with board members at their quarterly meetings, he connected monthly (usually via phone) with the cybersecurity and technology committee. “I had an opportunity every month to have this dialogue with board members, which helped me build that sense of the CISO as a trusted adviser,” he adds.