Enhancing CISO Communication with Boards and C-Suites in 2023
CISO communication skills have never been more essential. Organizations are facing unprecedented cybersecurity risks, not the least of which are software vulnerabilities that can turn into nightmarish supply chain attacks.
Headline-grabbing events over the past two years such as the attack against systems management software provider SolarWinds and the discovery of the Log4J vulnerability have raised awareness about the impact software supply chain issues can have on many companies.
Such high-risk events also show why it’s so important for organizations to focus on strengthening their software supply chain security and vulnerability management. And to help achieve this, CISOs and other security leaders need to know how to communicate effectively with those people who in many cases make the key strategic decisions: members of the C-suite and board of directors.
An important component of the discussion is knowing which issues to bring up with the business executives. Here are some key questions to consider:
- Do we know our risk posture? It’s difficult for organizations to provide sufficient security if they don’t have a clear understanding of the risks they face. They need to have a handle on all of their third-party dependencies, and visibility and context for all of their software.
- How well can we detect and defend against software supply chain attacks and how confident are we in our ability to close the attack window on new vulnerabilities quickly? Incidents such as the headline-making attacks against companies such as SolarWinds and Kaseya should get the attention of senior executives, because they can have a huge impact on the business.
- Are we ready for coming compliance mandates? In 2021 the White House issued an executive order for improving the nation’s cybersecurity that requires software sellers to provide federal procurement agents with software bill of materials (SBOMs) for each software application, and there’s some speculation that this requirement will eventually be something companies require of their third-party partners.
Once CISOs know which issues to discuss, how should they actually communicate with boards and C-suites? For one thing, speak in language they can relate to and understand. Security executives should never overwhelm a business audience with loads of technical jargon that leaves them befuddled.
Business leaders want things explained succinctly and in terms familiar to them. Using technical jargon and acronyms will not fly, and if CISOs do this they risk losing the audience quickly.
One term boards and C-suite executives can certainly relate to is return on investment (ROI). Security chiefs need to be prepared to show what kinds of results investments in security tools and services are delivering. This is where it’s good to have a set of metrics that can demonstrate the value of security solutions such as vulnerability scanners.
Good examples of metrics include
- mean time to detect (MTTD), which measures how long it takes the security team to detect a vulnerability;
- mean time to remediate (MTTR), which measures the amount of time it takes for the team to fix a software vulnerability within the organization’s environment;
- and time spent patching software.
Another good practice when communicating with boards and senior executives is to be upfront about risks without resorting to fear, uncertainty and doubt. Business leaders don’t want to hear stories about what could go wrong; they want suggestions of how to prevent incidents from happening without getting in the way of employee productivity.
To learn more about the best ways security leaders can connect with boards and C-suites, check out this conversation guide for CISOs today.