Events like the recent massive CDK ransomware attack – which shuttered car dealerships across the U.S. in late June 2024 – barely raise public eyebrows anymore.
Yet businesses, and the people that lead them, are justifiably jittery. Every CISO knows that cybersecurity is an increasingly hot topic for executives and board members alike. And when the inevitable CISO/Board briefing rolls around, everyone wants answers: Are we safe from attacks? Are we making progress? Could <insert name of CVE or incident that keeps you up at night here> happen to us?
These are all fair concerns.
The question is, how do we best answer them? A company board deserves clear, concise information tied to business goals, not technical details about fixes or attack methods. A communication gap between the CISO and the board can lead to misunderstandings, increased risk, and potentially devastating cyberattacks. And this is why one of the overriding challenges for CISOs today remains: How to present risk in a way that the board can understand and leverage to make informed decisions?
Check out XM Cyber's new eBook, A CISO's Guide to Reporting Risk to the Board. It's packed with strategies and tips to help you finally answer board questions about risk with confidence and accuracy. By establishing a plan for clear communication and measurable progress, CISOs can finally build boardroom trust and secure the resources needed to effectively manage cyber risks.
The Numbers Speak
Despite this clear and pressing need for communication, recent research by Heidrick and Struggles, leading executive search, and corporate culture consulting services, revealed a worrying disconnect between CISOs and CEOs. Only 5% of CISOs report directly to the CEO, indicating a potential lack of high-level influence, and 2⁄3 's of CISOs are two levels down from the CEO in the reporting structure.
This means the majority of cybersecurity leaders remain several steps removed from organizational decision-making. The Ponemon Institute study also found that only 37% of organizations think they effectively utilize their CISO's expertise. Research from Gartner highlights a similar trend: only 10% of boards currently have a dedicated cybersecurity committee overseen by a board member.
These numbers expose significant weaknesses in how organizations structure reporting and how boards receive briefings. Despite a more direct role for CISOs, the challenge of translating risk into clear business terms persists.
The Questions
As a CISO, asking yourself these five key questions can help you bridge the board/executive communication gap, present a clear picture of cybersecurity posture, and gain the support needed to effectively manage risk:
1. How do I justify my cybersecurity budget?
CISOs understand that strong cybersecurity requires ongoing investment. Without a clear justification, your budget requests are at risk of reduction or outright rejection. So, prove that your goals are not only achievable but worthy by demonstrating the return on investment in cybersecurity. Show naysayers that by securing resources to safeguard critical data and infrastructure, you are ultimately protecting the organization's financial health.
2. How do I master the art of risk reporting?
Mastering risk reporting is critical if you want to shift executive perception of cybersecurity. Non-technical audiences struggle with complex security threats. That's why your reports need to be clear and data-driven. They need to quantify risks in business terms, highlighting potential financial losses from breaches. This way, you demonstrate the value of security investments in protecting the organization's financial well-being – shifting cybersecurity from a cost center to a business enabler.
3. How do I celebrate security achievements?
Don't focus just on problems; celebrating security wins is crucial. Recognizing your team's successes boosts organizational morale, fosters a culture of security awareness, and highlights the value of cybersecurity investments. Public recognition of attacks that were deflected can simultaneously deter attackers and reassure stakeholders of the organization's commitment to data protection.
4. How do I collaborate with other teams better?
Effective CISOs understand that cybersecurity isn't a solo endeavor. Strong security relies on a company-wide commitment to vigilance. That's why collaboration with other departments like IT, HR, and Legal is essential. By working together, CISOs can integrate security awareness training into employee onboarding and development programs. What's more, your collaborative efforts can lead to clearer security policies that align with business processes. And collaboration strengthens incident response protocols, ensuring a swift and coordinated response to security breaches.
5. How do I focus on what matters most?
CISOs are bombarded with threats and tasks. Prioritization is key. Focusing on what truly matters ensures resources are directed effectively. This means identifying the most critical security risks, aligning them with your organization's business goals, and addressing them strategically. By saying no to distractions and focusing on high-impact initiatives, you can optimize security posture and maximize your organization's overall resilience.
Bridging the Gap: Effective Communication for CISOs
The rising tide of cyberattacks demands clear communication between CISOs and boards. To bridge this gap and gain crucial support, CISOs should prioritize effective risk communication. Ditch the technical jargon and translate complex threats into business terms. Highlight the financial impact of cyberattacks, potential reputational damage, and disruptions to core operations. By framing cybersecurity as a business issue, CISOs can secure buy-in from the board for essential security investments. (Check out this great article for more tips on how to get executive buy-in for security initiatives here.)
Additionally, remember that communication goes beyond simply presenting problems. CISOs should also demonstrate progress and move away from basic metrics to develop data-driven reports that showcase the effectiveness of security investments. Key metrics should be tracked, such as reductions in successful attacks or the time taken to identify and contain breaches. These demonstrable data points will help drive your message home.
Check out XM Cyber's new eBook, A CISO's Guide to Reporting Risk to the Board. It's packed with strategies and tips to help you finally answer board questions about risk with confidence and accuracy. By establishing a plan for clear communication and measurable progress, CISOs can finally build boardroom trust and secure the resources needed to effectively manage cyber risks.