Talking to a board of directors is one of the things CISOs or their equivalents have to get used to, especially these days when security is top of mind at the top of the organization.

It may not be easy to face a number of men and women who have little knowledge about what you do (and who assume the reason you’re there is to to ask for money). But as the RSA Conference was told this week, with some preparation

Chris Wysopal, co-founder and CTO of Veracode, told a session that you should think how you’d explain what you do when talking to your mother. Well, maybe that’s too simplistic (or maybe not). But here’s a few of his tips:

    • Don’t use acronyms like DDoS. Say the words, not the letters. Similarly, use visuals, not text;
    • Use numbers, especially dollars, such as losses from public data breaches, so board members can measure risks against costs;
    • Use analogies.
    • Show how training works. “You can measure the effectiveness of training on spear phishing,” he said;
    • Stress that there is no such thing as a breach-free organization;
    • Stress that cybersecurity has to be companywide: IT, legal, lines of business and public relations must all become involved;
    • Make sure they understand cybersecurity needs to be thought of as long-term strategy of survival for the brand.

Here’s another sage piece of advice from Wysopal:  Ask board members what they want to get out of their infosec program. That will drawn them into a conversation, get them thinking about security and give you and the CEO an indication of the direction the board is going.

And if they’re caught off guard by the question? Well, then both sides have learned.

  • Capt Obvious

    just tell them what happens to the “brand” when a breach or compromise happens…that’ll get their attention…. works every time….