The gulf between CISOs and non-technical business users on cybersecurity issues has never felt so huge - with many security professionals struggling to explain issues in a way that will resonate with the board.
This week, the National Cyber Security Centre (NCSC) published new guidelines for cybersecurity professionals to help explain issues to the board in a way that will prevent cybersecurity being seen as a "necessary evil or cost-centre".
The guide (which can be found here) focuses on helping cybersecurity leaders to understand boards better and how to couch cybersecurity issues in language business users can understand.
It advises cybersecurity professionals to couch discussions in terms that business leaders can understand, such as risk, and warns of common misunderstandings, pointing to recent NCSC research which found that 80% of Boards do not realise that "accountability for cyber risks rests with them".
The NCSC says: "It is a common misconception that boards make all the decisions; most will be made by the executive management team, with the board concerning itself with the governance and oversight of those decisions and recommendations."
It also offers useful pointers on how to make language less technical: for instance, referring to "protecting PCs and servers from viruses and other types of malware" rather than "endpoint protection."
"Where possible, quantify and make the risks tangible, using precise language," the NCSC advises. "You should reserve ‘doomsday scenario’ language and hyperbole for risks that really really warrant it. Equally boards expect honest, matter-of-fact assessments of risks and your current position. Trying to gloss-over the risk (or overstate the mitigation) is not helpful."
What does the board want to know about security?
The guide also advises that board meetings are not the best place for asking questions or in-depth discussions - and advises developing contacts with board members outside regular meetings.
There's also a list of questions which cybersecurity professionals should expect to ask and be asked.
CISOs should ask about relevant KPIS, details of key risks and mitigation plans, or the impacts which most concern the board, whether that's downtime, client impact or the implications of shifting regulations.
It's also wise to find out what sort of questions the board has about security (some of them can be found in the dropdown menu below) and request operational data to demonstrate the effectiveness of previous investments - which will help to guide future spending.
READ MORE: Citigroup’s CFO Mark Mason: Cybersecurity costs are surging
Questions the board is likely to ask CISOs
The NCSC advises security leaders to "expect to be asked about the big picture". Below are some of the questions it suggests that the board will ask, which we have included without editing:
- Do we understand the cyber security threat, and how it might impact our business strategy and plans?
- How do we benchmark against other organisations? Our peers? Our sector?
- How do we consider cyber security implications when we take decisions?
- Have the critical assets for protecting our key business objectives been identified?
- Are we managing the risks in an effective way?
- Are we executing against the mitigation actions?
- Are responsibilities clear?
- Are we working with our supply chains and customers on this?
- Do we have incident and contingency plans in place? Have they been tested?
The NCSC advises cybersecurity professionals to "elevate" topics into something connected to the whole business, saying: "You need to connect what you want to tell the Board with what is most important to them (and therefore what they are interested in hearing about)."
It also suggests that CISOs should "own the problem", which means that persistence is required when explaining issues several times.
"The crucial first step is to recognise that - rightly or wrongly - this is your problem to solve," the NCSC advises. "You will need to work with the audience as you find them, which may not be the audience you’d perhaps wish you had."
Opening up to the board
Security leaders would also be wise to remember that to the board, a security issue is simply a security issue. They may not be cognistant (or care) about the distinction between different types of attacks or threats.
CISOs must also open up themselves up to scrutiny and "expect to be inspected". All CFOs or health and safety teams will be familar with opening the books for audits, which means security leaders should "expect the same, especially over critical matters or significant investments".
It's also important to remember to "advise rather than educate".
"Board members rely on advice from experts - like you - to discharge their governance responsibilities," the NCSC tells CISOs. "It’s not your role to train them to do your job, but instead to put them in a position where they can make informed decisions about corporate strategy and cyber risks."
Finally, CISOs are given tips on how to effectively communicate with the board, which starts with a focus on clarity, conciseness, and a business-oriented approach.
Using simple, jargon-free language is a must, as it adopting a business-focused mindset and sharing updates that highlight the relevance of cyber initiatives. CISO should be sure to prioritise brevity and straightforward language, because "many board members struggle to unpick and engage with cyber security."
READ MORE: "We're becoming scapegoats": How have CISOs responded to SEC cyber risk disclosure rules?
Next steps for CISOs
Of course, the guide is only a start. Every board is different and every organisation has its risk profile - and faces a unique threat landscape.
Raghu Nandakumara, Head of Industry Solutions at Illumio, told The Stack that CISOs should push even further than the NSCS's suggestions.
“To drive real board engagement, we must go one step further – using concrete, quantifiable risk assessments and financial metrics that resonate with leadership," he said.
"There must be greater emphasis on how cybersecurity investments can deliver measurable returns, by both reducing vulnerabilities and boosting operational resilience. We also need to see more mapping of outcomes of cyber initiatives to things like productivity, reputation, and the bottom line – things that the board truly cares about.
“CISOs also need to identify the biggest risks to their business and the most likely way they will be exploited. Then trace the risk backwards to determine how effective existing security controls are, or where additional controls like networks segmentation are needed. Boards will need to weigh up the cost of fixing cyber problems against the financial risks of leaving them, so the more data and evidence CISOs can provide, the better.”