New report looks at facilitating cyber board communications
- Published: Wednesday, 11 July 2018 08:40
Kudelski Security has published a new research report, 'Cyber Board Communications & Metrics – Challenging Questions from the Boardroom' that features the perspectives of enterprise CISOs from large global organizations.
The report features discussions and opinions on how security leaders have improved relationships and communication methods to better inform non-technical executive leaders, measure and report on security priorities, and increase organizational support for security initiatives. This includes the top questions CISOs face, as well as tips to improve presentations made for the board of directors.
The report was created in conjunction with Kudelski Security's Client Advisory Council (CAC), a cybersecurity think tank made up of top-level information security leaders from global enterprises.
The CAC focused on the need to enhance board awareness of the cyber challenges their organizations face, and in improving their confidence in the CISOs they have charged with their organization's security. Through a lengthy and thorough process of industry surveys, focus groups and individual interviews, the CAC confirmed its hypothesis: CISOs need to better communicate programs and initiatives in a way that is meaningful to their counterparts and boards.
The report says that key to helping boards understand cybersecurity is to understand what they really want to know when they ask the questions they do. A strategy is outlined to answer the five most challenging questions, including "Are we secure?" and "How does our security program compare to our industry peers?" along with strategies, communication approaches and detailed advice on best-use of metrics.
"Communicating with a board is among the most challenging yet vital and impactful responsibilities a CISO could have," said Almir Hadzialjevic, CAC member and Vice President, Enterprise Risk & Security, Aaron's, Inc. "Most boards are made up of sophisticated leaders who, while being experts within their domain, simply do not speak 'technology.' Nevertheless, they have a strong understanding of the business, risks to the business, financial and reputational implications, and play a critical role in the effective oversight of the company's cybersecurity program. This presents a unique challenge for a CISO trying to relay the vital importance of a robust and mature cybersecurity program, and the need for investment in it. A partnership between CISOs and their board of directors is crucial, and the effectiveness of any company's security program depends on it."
Obtain the report (registration required).