The dos and don'ts of advocating for cybersecurity in the boardroom

When Chris Jacquet joined Hitachi Vantara, the Chief Information Security Officer (CISO) function was understaffed and underfunded. Over the past six years, the Vice President and CISO grew the organization from a small team to a large enterprise security operation. In a talk at the ISC² Security Congress 2021 on Monday, Jacquet explained how best to advocate for security in the boardroom.

"The importance of cyber in the board is really snowballing, and it's because now people are seeing cyber as a major business issue," said Jacquet. Over the past five years, cybersecurity has become a top-of-mind issue in the C-suite, largely due to several high-profile cyberattacks, including the Solarwinds, Equifax and Colonial Pipeline breaches. A CISO can use the threat of negative branding and loss of reputation in the boardroom when advocating for increased cybersecurity measures.

Understanding the makeup of the board

It's important to keep in mind the role of the board — to represent and support the shareholders. A successful CISO needs to identify tech savvy board members, as well as those who support or detract from cybersecurity measures. Utilizing board members or advisors with cyber backgrounds can greatly increase the chance of gaining the security funding an enterprise needs. Some boards may need to be approached more simplistically, while others already understand cyber threats to enterprise like ransomware or hacks.

Presenting to the board: preparation is key

A successful CISO will consider the top-of-mind cyber questions from the board members' perspectives. This can include identifying the motivations of potential cyberattacks, developing threat detection protocols and articulating the speed of those capabilities, explaining the emergency response in the wake of an attack and teaching the board about potential targets in the company, like the internet protocol (IP) or customer base. Boards will also ask the financial questions: a CISO needs to be able to articulate where funds are going and why cybersecurity needs to be prioritized using specific company metrics to prove the case.

Oftentimes, a board cares more about resiliency than prevention, according to Jacquet. This involves having the right people in the room when a breach occurs. When a CISO liaises with the legal and communications teams, they protect the company from the threat of a tarnished reputation. 

Framing security as a business advantage can also be advantageous in the boardroom — if a competitor recently introduced a new cybersecurity strategy, a CISO can mention this to board members as a way to stay at the forefront of their field. The board wants to know if the cybersecurity team is doing better or worse than the previous quarter. A positive comparison to issues presented at the last board meeting can help show the evolution of cybersecurity at the enterprise. 

Things to avoid in the boardroom

When presenting to the board, there are some strategies CISOs should avoid while advocating for cybersecurity measures, according to Jacquet.

• Don't get technical. Although it is tempting to explain cyber concepts to the board, a CISO risks losing their audience by using language and concepts that the board does not understand. It's better to frame cybersecurity issues in terms of their effects on the company, rather than what an issue technically involves. Back up any metrics with information from a third party. This improves a CISO's credibility and shows board members that they can trust their security executives.
• Don't be too reassuring. Telling the board that everything is fine can land a CISO in hot water if an attack happens soon after a board meeting, giving the board the impression that the CISO doesn't have a handle on the true cyber landscape of the firm.
• Don't scare the board. Board members don't want to feel that the cybersecurity situation is out of control. A successful CISO should be honest, share what is working well and not so well and how the security team will address issues.

Using these tips, a CISO can better prepare for and execute successful presentations to their board.