How CSOs Can Help CIOs Talk Security to the Board

CIOs aren't necessarily security experts, but that doesn't mean they can't speak intelligently to the company's board of directors.

Most CIOs are not security experts, but in the board room they need to be. Thanks to the CSO, , they don't have to go it alone. Behind the scenes, they can help prepare the CIO, offering advice on how to interpret the company's threat levels, boiling down the most relevant information and communicating it, early and often, so the C-suite will pay attention.

"The challenges when you take on the CIO role or an executive role are that you don't think all about security," said Michael Hart, vice president and CIO of Petwell Partners, during a panel discussion at CIO Perspectives Houston last week. "You rely on the CISO."

The panelists, which included IT and security executives, discussed common assumptions about security risks, ways to get your business colleagues to take those risks seriously and best practices to use at your companies.

[Related: Why Your Company Needs Both a CIO and a CISO ]

When preparing for a board presentation or a meeting with C-level executives, the first thing a CIO should do is ask the CSO to bring the conversation about security down to the most basic level and put it into terms that everyone from the most junior employee to the CEO can understand. "You don't want to talk ISO speak. Learn to talk to the business," Hart said. "That's one of the challenges I have, to make sure all lines across the company are from the business perspective."

Next, to set expectations and shape the company's thinking, the CSO should provide context around today's risks and show how they are different from yesterday's challenges. Samuel Sutton, computer scientist at the FBI, Houston Cyber Squad, said the stakes are much higher in today's threat landscape. "It used to be about the single, lonely hacker just getting access," he said. "Now instead of getting access, it's 'how can I turn it into a dollar' -- that changes the ball game" he said.

Armed With Intelligence and Analysis

Another aspect of breaches today is that they are no longer being swept under the rug. "It used to be that the victims suffered this by themselves, isolated and alone," Sutton said. Today, thanks to intelligence, analysis and white papers, victims can educate themselves on how to handle a breach, he added.

[Related: Inside the Changing Role of the CISO ]

Sutton also cautioned CIOs to not rest easy. Instead, assume you will be attacked and focus on the prevention and response plan. "The reality is that there are two networks out there, those that are hacked and those that [you] don't know are hacked," Sutton said.

Executives will likely pay less attention to the fact that there are many prevalent threats and more attention to how those threats could affect their lines of business. To prepare the CIO for that part of the conversation, the CSO should outline the impact of a security breach on the business in terms of hard cost and soft cost. Sutton recommended using examples of soft cost to show how a breach will affect the stock price, the cost of freebies to win customers back or the lag time of hiring a new C-suite executive.

Keith Turpin, CISO of Universal Weather & Aviation, suggested also looking at other breaches and how they affected businesses, then showing how those situations could shake out at your company. "It's a risk analysis," he said. However, he cautions CIOs to not protect everything the same way. "You'll run a resource exhaustion game."

Make Security Palatable for Business Leaders

Outside of the boardroom, security updates for the C-suite and business leaders should be digestible so they can fit it into their busy schedules. Hart said creating a one-page report that takes five minutes to read is a way to get on the CEO's radar. "It's about building the relationship long-term," he said.

[Related: 5 CISO Skills Critical to Your Success in the Next 5 Years ]

Oberlaender agreed, "Address past, present and future -- and make a case for the CEO. Get on his radar with a weekly report and education." He also said it's important to create a program that C-suite executives can follow and include clear policies for employees to abide by. "Your company will have a breach sooner or later," he said. "So educate your executives that you can do something about it."

Lastly, it's critical to involve the legal department, which, Sutton says, can never happen too early. "Please get legal folks involved early on before your data is on fire," he said. "Help us, help you."

Join the CSO newsletter!

Error: Please check your email address.

Tags CIOssecurityCSO

More about CSOFBIISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Brousell

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place