When veteran cybersecurity leader Christopher Hetner wanted to build up trust with his company\u2019s board, he sought out his C-suite colleagues to first better understand their work and security needs.\u201cI had to build the trust with the business and understand their mindset, how the business operates and what drives profit and risk posture,\u201d he says. He notes that while senior vice president of information security at Citigroup he physically sat alongside the CFO as the CFO worked to educate himself on what drove the company\u2019s growth.Hetner says such outreach is needed for security executives to move beyond the technical part of their role so they can better assist with their organization\u2019s overall strategy and offer the kind of advice that the board will trust and value.\u201cCISOs are more comfortable with technical-driven metrics and having a technology dialogue with the board, so they\u2019re not presenting to the board the business risk through an economic exposure. I wouldn\u2019t discount the importance of some of the technical metrics, but you have to go with the \u2018So what? factor,\u2019 the \u2018Here\u2019s the downstream impact.\u2019 That\u2019s a different type of dialogue,\u201d says Hetner, managing director of cyber-risk security consulting at Marsh and special advisor for cyber risk at the National Association of Corporate Directors (NACD). Hetner is also a former senior cybersecurity advisor to the chairman of the U.S. Securities and Exchange Commission.Why trust mattersMore and more CISOs are presenting to their organization\u2019s boards of directors, yet researchers, executive advisors and experienced security leaders like Hetner say while great presentations are required, they\u2019re not enough.\u00a0\u201cThe objective is to gain the board\u2019s trust, so the CISO can get their backing when he\u2019s seeking to do hard things,\u201d says John Pescatore, director of emerging security trends at the SANS Institute, a nonprofit that specializes in security and cybersecurity training.They say establishing trust is the higher aspiration for organizations that want to elevate their security function to a strategic level, to a full C-suite partner whose expertise will influence leadership's strategic decision-making.\u201cWhen the board trusts the CISO, the CISO can do better, move quicker, act in the way they need to and get the funds they need. That\u2019s critical, because cybersecurity risk is so dynamic. It requires CISOs to adjust the strategy and operating model very quickly. And if the CISO doesn\u2019t have the support of management and the board, he or she can\u2019t do their job,\u201d says Kris Lovejoy, the global cybersecurity leader at professional services firm EY\/Ernst & Young LLP.Increasing oversight belies "limited understanding"Company directors do indeed recognize the importance of security. The nonprofit NACD in a recent survey of more than 500 public company directors found cybersecurity threats listed among the top three trends that will have the biggest impact on their companies, just behind regulatory changes and economic slowdown.Global research and advisory firm Gartner Inc. finds it similarly top of mind, reporting that by 2020 the boards of all large enterprises will expect at least annual reports from their executives on cybersecurity and technology risk \u2013 an increase of 40% from 2016.However, experts say there\u2019s a real disconnect between security leaders and the board.The EY Global Information Security Survey 2018-19 found that 28% of the 1,400 global c-level executives surveyed say the board\/executive management team has no \u201ccomprehensive understanding of information security to fully evaluate cyber risks and preventive measures\u201d with another 31% saying it has a limited understanding; only 39% say the board\/executive management team has the comprehensive understanding needed to fully evaluate risks and prevention.Furthermore, it found that only 18% of organizations make information security a strategic agenda item, with another 55% saying security influences business strategy only somewhat or not at all.\u201cThe boards say they feel as if they\u2019re hearing that everything is OK. They\u2019re getting reports from the CISO about a maturity framework with red, yellow and green coding on where things are, and they don\u2019t necessarily understand what they\u2019re seeing, and they\u2019re uneasy,\u201d Lovejoy says.Other experts offer similar observations, saying CISOs too often give overly technical presentations to the board, offering as proof of success security-industry metrics that don\u2019t offer any insight on business impact. They talk about the number of phishing attacks stopped or viruses blocked, the high rate of patching and other such measurements.\u201cThat\u2019s not a message that resonates with the board,\u201d Hetner says.Signs of troubleTo be fair, though, CISOs shouldn\u2019t shoulder all the blame. Board members also have an obligation to educate themselves on security topics and how those fit into the strategies they oversee as well as to understand how they can best support the security function in their organizations.\u201cCreating that trust is a two-way street. The CISO wants to know the board believes in what they\u2019re doing, and the board wants to know what the CISO is doing. So they have to work together to set expectations for the CISO to meet,\u201d Lovejoy says, adding she doesn\u2019t see outright distrust as much as she sees boards feeling uneasy in the relationship they have with the security executive.Here are four signs that the CISO doesn\u2019t have the board's trust.Not presenting to the boardA glaring sign of trouble is the absence of any regular CISO presentations to the board. \u201cIf you\u2019re not presenting to the board, when someone is doing it for you as a proxy, that\u2019s a simple tipoff,\u201d Lovejoy says, adding that CISOs should present directly to the full board at least once a year \u2013 in addition to quarterly presentations to a relevant oversight committee (usually the audit committee) if not the full board itself.Lack of discussionHetner says a lack of discussion following those presentations is another sure sign the CISO doesn\u2019t have a strong relationship with the board. \u201cThe lack of effective challenge is an indication that it\u2019s not only the CISO but also the board\u2019s [ineffectiveness], that the board isn\u2019t equipped to provide that effective challenge to the CISO,\u201d he explains.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Fielding the wrong questionsAnother indication of trouble is when CISOs find themselves answering board member questions that are focused on what Lovejoy calls the \u201cwrong metrics\u201d \u2013 if they\u2019re trying to understand technical measures, for example. \u201cThat\u2019s a good indication that they don\u2019t understand what you\u2019re describing,\u201d she says.Being left out of early conversationsCISOs who aren\u2019t frequently connecting with their c-suite colleagues to contribute perspectives on business strategies also don\u2019t have the board\u2019s trust, Lovejoy says. \u201cIf the CISO isn\u2019t being brought in early to be part of the discussion around strategy upfront and early, that means the CISO isn\u2019t relevant enough to be a consultant on risks for transformative moves,\u201d she adds.Recommended fixesThere are several key moves that CISOs can make to build up the trust between themselves and the board, according to research and expert experience.Know your company's risk tolerance\u00a0To start, CISOs should make sure they\u2019re on the same page as the board when it comes to the organization\u2019s tolerance for risk \u2013 something that many organizations have not explicitly established.\u201cI have personally seen over the years and daily hear from my peers across the sectors that they feel like the board is doing check-the-box or what is the minimum standard,\u201d says Rebecca Wynn, head of information security and the data protection officer with Matrix Medical Network in Scottsdale, Ariz.NACD\u2019s own findings speak to the disconnect between boards and their security leaders on this point, reporting in its 2019 Governance Outlook: Projections on Emerging Board Matters that 70% of respondents to its annual survey of public company directors said they need to better understand the risks and opportunities affecting company performance.If a clear articulation of the board\u2019s appetite and tolerance for risk is lacking, Lovejoy recommends CISOs initiate the conversation: \u201cThe CISO should say, \u2018I can work toward whatever goal you establish but I need that goal post.\u2019\u201d CISOs then need to better articulate how their security team is doing against that established goal.Communicate exposures in a business contextHetner says CISOs need to be fully transparent in what exposures exist across the enterprise, explain the potential obstacles to advancing the cybersecurity program and communicate how cyber risk can be realized across the enterprise \u2013 all of which should be done with a business context.\u201cAnd by that, what I mean, is an understanding and assessment of cyber exposure through an economic lens and how that drives the prioritization of risk management,\u201d Hetner explains. \u201cIt\u2019s an evolution for CISOs [who should have] business acumen, strong effective communication skills, and apply all these skills in cybersecurity through a strategic lens.\u201dEstablish connectionsOthers advise CISOs seeking to build up more trust with the full board to make connections outside their regular presentations. Pescatore points out that other c-suite leaders often connect with board members between meetings, giving them a heads-up on major items and building up a strong rapport during routine times that can help them work better together during tough stretches. \u201cBoards fire CFOs, for example, they don\u2019t trust. It\u2019s not because they had a bad quarter. They know bad things sometimes happen,\u201d he adds.Wynn concurs with the need to build up relationships approach, saying \u201cThe CISO needs to find a true sponsor or champion on the board to assist him\/her in moving forward with initiatives.\u201dFurthermore, Wynn recommends that CISOs do some work beyond their scheduled meetings to determine how best to break through any barriers they have with their boards.\u201cYou need to be with the leaders, learn their communication style, what their strategic and tactical plans are for the years, and how you can best support them. If they are not open to your partnership then keep the communication open but seek out other partnerships,\u201d she adds.