How to talk to the board about IT security

Talking to a board of directors is one of the things CISOs or their equivalents have to get used to, especially these days when security is top of mind at the top of the organization.

It may not be easy to face a number of men and women who have little knowledge about what you do (and who assume the reason you’re there is to to ask for money). But as the RSA Conference was told this week, with some preparation

Chris Wysopal, co-founder and CTO of Veracode, told a session that you should think how you’d explain what you do when talking to your mother. Well, maybe that’s too simplistic (or maybe not). But here’s a few of his tips:

    • Don’t use acronyms like DDoS. Say the words, not the letters. Similarly, use visuals, not text;
    • Use numbers, especially dollars, such as losses from public data breaches, so board members can measure risks against costs;
    • Use analogies.
    • Show how training works. “You can measure the effectiveness of training on spear phishing,” he said;
    • Stress that there is no such thing as a breach-free organization;
    • Stress that cybersecurity has to be companywide: IT, legal, lines of business and public relations must all become involved;
    • Make sure they understand cybersecurity needs to be thought of as long-term strategy of survival for the brand.

Here’s another sage piece of advice from Wysopal:  Ask board members what they want to get out of their infosec program. That will drawn them into a conversation, get them thinking about security and give you and the CEO an indication of the direction the board is going.

And if they’re caught off guard by the question? Well, then both sides have learned.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web