One of the most important skills a cybersecurity professional needs is the ability to communicate effectively, be that out to the wider organization, or upwards to the board to escalate issues and inform key decision-makers. Dave Cartwright, CISSP, shares some of his experience and advice.
It is reasonable to state that IT people in general, and cyber specialists in particular, are not always great at communicating. But getting the cyber message across to the executive team, or the board, is really not as difficult – or scary – as you’d think. In my day job I am a CISO but, like many, I am three steps from the CEO on the org chart; a few years back the idea of sitting in a board meeting was terrifying, but now it’s just part of the job and one I look forward to each quarter. Here’s how it’s done.
Mutual Respect
First, be aware that respect is not the same as fawning. If you’re sitting in a board meeting, then you should of course have respect for your superiors – they will (mostly) have got where they are today by being good at what they do. However, they will also have respect for you, because you’re the one they employed to manage the biggest risk in their business – cybersecurity. You know a load of things they don’t, which is why you’re sitting there answering their questions. Show them respect, but don’t be afraid to be yourself.
Keep it Factual
Next: present them with facts. If you write a report for any senior committee, do everything you can to avoid putting opinion in there. Senior management need to know the facts of the organization’s cybersecurity situation, not what you think about a particular issue that you’re focused on at the time. Oh, and when we say: “write a report”, that’s not really what you should be doing – you should be drawing the report … by which we mean that, as the adage states, a picture is worth a thousand words. Graphs and charts are very much the way to get your message across. Want to show a horror story but remain impartial? Draw a line graph showing vulnerabilities or overdue patches increasing over time, and use an industry-standard classification (for example, the definitions in the CVSS specification) to paint things red, amber and green. You’re giving them facts and showing them what they mean.
Accessible Language
And this latter concept is the tricky part with any communication to senior teams: putting things in a language they understand. Graphs are great because everyone understands what a “red” classification means, but what about when it’s not just about the numbers and you can’t graph it? Now you need to learn the language of risk, because that’s the common denominator that all executives and board members should understand. The most common approach is to measure the likelihood of something happening (1 = highly unlikely, 5 = almost certain) and the impact should it happen (1 = tiny, 5 = vast). Speak with your risk team and get a copy of the measures they use to define each of these (for example, an “impact” score of five may mean a financial cost of $5million or more, or the loss of at least 30% of the customer base). Senior management understand risk, so if you can put cyber issues in that language, you’re on a winner.
On the subject of risk: don’t just show each risk and leave it there. If there’s a clear action that can be taken to take the likelihood of a major risk from a five to a three, write it down (and include the time and cost). Boards love it when they’re told: “It’s a level-five critical risk, but with $50,000 and six months we can bring it down to a three” – they can then choose whether to accept it in its current form or agree for you to take the actions and spend the money.
Returning to a previous point, we said earlier that you shouldn’t be giving your opinion in the reports you give to senior management. However, if you’re at the meeting and they ask you what you think: tell them. But do it calmly and justify what you’re thinking – a rant will do nobody any good. Generally speaking, the questions won’t be wide open: rather, you will be asked for your view on the implications of something in the report – so be logical and explain what could happen and how likely it is.
Be Prepared to be the Bearer of Bad News
One last thing: if you are new to your role, and this is your first invitation to a meeting with senior management, bear in mind that you might be the first person to be telling them something bad. “Why has nobody told us this before?” is a surprisingly common question in board meetings, particularly in the area of cybersecurity – because the security function tends to report into the CIO or CTO and there is often a tendency for bad news to be represented as a far less negative message by the person whose systems, people and processes are responsible for the situation being as poor as it is.
- ISC2 Executive Leadership courses includes a course on Presenting to Your Board of Directors
- Read our recent article on Bridging the Gaps Between Security Teams and Leadership
- Watch our recent webinar on Board Level Reporting Metrics