Skip to main content

UK Cyber Week Blog

Sample Image

04 Sep 2024

Talking the Board’s language: the real challenge is getting on the same page

Talking the Board’s language: the real challenge is getting on the same page

As CISOs, we repeatedly tell ourselves (and each other) ‘speak the language of the Board’

Well-intentioned advice, but the approach is too simplistic. It assumes that the board merely lack the words or facts, and that the onus is entirely on CISOs to adapt. But what if, instead of merely learning to ‘speak the language,’ we also encouraged the board to understand how we think? The struggles we face? Why the trade-offs aren’t always clear-cut?

This is a problem of lacking shared cognition – ie, understanding the models and representations we make of the world

Here are some ideas to jointly get to that deeper understanding of cyber:

The complexity of overseeing processes we don't own

CISOs are tasked with securing a sprawling landscape of digital equipment, data, people and processes that we don’t directly manage. We often don't touch the day-to-day operations yet need to influence outcomes - a challenge to balance between control and influence

Boards need to appreciate that while CISOs may not 'own' these processes, their decisions and priorities shape our security landscape, making it harder or easier to influence, support, coax - or threaten…

For example, when a board prioritises rapid digital transformation without allowing time to understand security implications, they're influencing the organisation's risk posture, which will likely come with more security cost to fix stuff down the line

The budgetary influences between IT and cyber

One of the most common misconceptions is the conflation or alignment of IT and cyber budgets - see the frequent questions asking for the percentage of IT spend aligned to security, or team size/headcount measures. In practice, IT spending is broadly under the  business’ control: new offices or new product lines typically mean more IT spend. It also ‘feels’ like IT spend should decrease over time as technology becomes more efficient, more miniaturised, virtualised

But, cyber spending is mostly aligned with external things - threat actors, regulatory requirements, and the after-effects of breaches in other organisations. Helping your board understand this distinction is crucial to avoid the dreaded budget-by-analyst-research which results in simplistic metrics such as ‘6% of IT spend’

One good idea is to model whether under some imagined conditions the Board would expect cyber spend to increase or decrease? Dig a bit deeper, challenge or inform their assumptions, and help them understand your own opinion on the same scenario

Risk and opportunity - not as binary as they may seem

Businesses are adept at balancing risk and opportunity - switching to a cheaper ingredient may increase margins, but might come with some consumer backlash over flavour or quality. While cyber does deal often in risk, the opportunity or upside isn’t just the binary opposite. A board might decide to cut corners on cybersecurity to save costs, thinking that they are seizing an opportunity to boost the bottom line - but the risk is still there and might materialise sooner as a result

A positive example might be to better analyse and understand competitors' views on cyber and pitch your cyber strategy just a little higher. Attackers will most-often go for the easiest pickings, and so you will likely be better-defended as a result - for some threats, of course. You could then explain to customers how this has been achieved, which would be a great way to improve their experience of your product or brand

In conclusion - it's not a 'language' problem, it's a challenge of 'cognition'

It's not enough to say that CISOs need to simply ‘speak the language’ of the board. We need a deeper, mutual understanding - one where the board appreciates the nuances of cybersecurity, and the CISO recognises the strategic priorities of the organisation. A shared cognition, where our interpretations are understood, challenged or debated fairly

By helping your board grasp the complexity of overseeing processes that aren’t directly managed, the pressures on IT and cyber budgets, and understanding that risk and opportunity in cybersecurity aren’t always binary, you can foster a more productive partnership

 


 

About the Author: 

Chis GunnerChris Gunner, Group CISO at Pepper Financial Services Group

Chris is an Information Security professional, with experience ranging as CISO delivering firm-wide strategy to client-facing delivery as a cyber consultant in a variety of roles and industries. Chris is a strong exponent that security is something a business does across the enterprise; it must be built into processes and policies across the organisation in a way that keeps the place running.

With information security experience in government, legal and financial services, encompassing: Board reporting, cyber security strategy, certifications and compliance, third party assurance, security policy frameworks, and operational  resilience, business continuity and IT disaster recovery.
 

 

View all UK Cyber Week Blog
Loading