Making the Connection in the Boardroom
A lack of effective communication is one driver for this gap around how cybersecurity is understood. According to Proofpoint’s report, 69 percent of board members say they see eye-to-eye with their CISOs, and only 51 percent of CISOs feel the same way.
Phil Venables, CISO and vice president of Google Cloud, at the mWise event on Tuesday acknowledged “there’s a little bit of fear in the boardrooms that cyber is this dark mysterious art that is really difficult to manage.”
CISOs and board members can achieve a better mutual understanding not from using technical terms, but instead looking at what these terms mean for the business; such as how security threats and flaws can potentially impact organizational business goals and reputation. Board members care less about threat detection metrics and more about how these metrics will impact revenue, for instance.
Venables said that approaching boardroom communications from a risk-based perspective, rather than a technical perspective, can help drive further collaboration between CISOs and board members. CISOs could ask boards to think about the risks facing an organization’s most critical assets and services, the effectiveness of the controls that mitigate those risks and the end-to-end processes in place to constantly validate that these risks are being monitored, he said.
“Now in that whole paragraph, I never used the word technology, I didn’t use cyber, I didn’t use information security,” said Venables. “That’s just the approach that boards have to manage a whole array of risks… and the more boards can get used to that, the more security teams can answer that question in a coherent way. Today, they’re not doing a great job of answering that question and the boards are not doing a great job of holding the security and technology and risk teams accountable for that question.”