Site icon IT World Canada

Why boards tune out CISOs, and 4 ways to get them to listen

Photo of a person holding a sign that says "Blah, blah, blah"

Image by adrian825 via GettyImages.ca

Imagine an adult in front of you talking in an unintelligible foreign language.

That, says Jeffrey Wheatman, is how most chief information security officers (CISOs) sound to their boards and senior management.

Wheatman, the cyber evangelist for U.S.-based IT supply chain security ratings service Black Kite, gave that analogy during his presentation Monday to the annual siberX CISO Forum Canada. In fact, to get his point across he began speaking in … something. It might have been a language. It might have been gibberish. It was certainly unintelligible. It puzzled the audience of infosec pros.

This was his point: Something unintelligible is what directors and senior management hear when most infosec leaders talk.

The solution, he said, is that infosec leaders have to learn to communicate much better to non-IT people.

A former Gartner analyst who has spoken to boards and advised CISOs on how to speak to boards, he offered infosec leaders these four tips to be more effective:

1Learn to speak the language of business: “They’re not going to learn our language; we must learn theirs. For us to expect them to learn ours is a failed, doomed exercise.”

One example: Don’t explain the possible impact of ransomware as, ‘It would bring the network down.’ Management doesn’t know what the network is. Instead say, ‘You won’t be able to send invoices, people can’t pay us, we won’t be able to get product out.’ Management, Wheatman said, cares about three things: Money coming in, money going out and “if stuff goes sideways who’s getting in trouble.” What should infosec pros do? Take business classes, many of which are free; learn how to read a general ledger and how accounting is done.

2 Create stories: Don’t tell boards and management everything you know about cybersecurity. Convey your message in words and imagery to educate, influence a decision or change behaviour. How? Get inspiration from media that tell quick stories as movies, TV shows and commercials do. Build analogies, which are comparisons. Distill your message into a one-page story, which will force you to get to the point. Then practice your pitch, perhaps to a friend, child or spouse. When making that presentation, don’t forget to pause at critical points and wait for a response — is your pitch resonating? Never ask your audience, ‘Does this make sense to you?’ But you can ask, ‘Is this helpful?’

3Focus on emotions, “not the ones and zeros in the data and the information,” Wheatman said. Data may persuade people but it doesn’t inspire action. “People remember how they felt after your presentation more than what you told them.” Think about how you want executives to feel when you’re done, he said. If you don’t know what you want them to feel, your message may not land properly. (Hint: It’s okay to want them to feel a little scared, but confident you know what you’re doing.) You can use data — carefully. Too many data points overwhelm audiences. Find some kernels and build around them. Look for hot buttons: Know what’s important to your audience — the CEO wants to hear the impact of cybersecurity on their pet project, the chief operating officer wants to hear about the operational impact, and the sales department wants to hear if it will help/hinder their ability to meet sales goals. You can refer to something that happened to a competitor (“Let’s talk about how we can avoid that.”) Part of this, by the way, also includes scenario-planning: ‘What might happen if (there’s a recession, a virus sweeps the world, we lose internet connectivity …. ).

4 – Understand the organization’s appetite for risk. You don’t want to tell them what their risk is, you want to hear their view of risk by telling stories and asking questions. But everyone should understand and agree on terms like “risk”, “threat” and “operations.” Then create tools to prioritize those risks. Finally, make sure the risk appetite is linked to the organization’s objectives. For example, don’t say employees should be forbidden from installing their own software because the computers will crash. Instead say, ‘We need to keep the computers up so they can support customers.’

The CISO Forum continues Tuesday.

Related content: How boards should talk to CISOs — and how they should talk to boards

Exit mobile version