nnOne of the most important skills a cybersecurity professional needs isnthe ability to communicate effectively, be that out to the widernorganization, or upwards to the board to escalate issues and inform keyndecision-makers. Dave Cartwright, CISSP, shares some of his experiencenand advice.nn
nnIt is reasonable to state that IT people in general, and cyber specialistsnin particular, are not always great at communicating. But getting the cybernmessage across to the executive team, or the board, is really not asndifficult – or scary – as you’d think. In my day job I am a CISO but, likenmany, I am three steps from the CEO on the org chart; a few years back thenidea of sitting in a board meeting was terrifying, but now it’s just part ofnthe job and one I look forward to each quarter. Here’s how it’s done.n
nn
nMutual Respect
nn
nnFirst, be aware that respect is not the same as fawning. If you’re sittingnin a board meeting, then you should of course have respect for yournsuperiors – they will (mostly) have got where they are today by being goodnat what they do. However, they will also have respect for you, becausenyou’re the one they employed to manage the biggest risk in their business –ncybersecurity. You know a load of things they don’t, which is why you’rensitting there answering their questions. Show them respect, but don’t benafraid to be yourself.n
nn
nKeep it Factual
nn
nnNext: present them with facts. If you write a report for any seniorncommittee, do everything you can to avoid putting opinion in there. Seniornmanagement need to know the facts of the organization’s cybersecuritynsituation, not what you think about a particular issue that you’re focusednon at the time. Oh, and when we say: “write a report”, that’s not reallynwhat you should be doing – you should be drawing the report … bynwhich we mean that, as the adage states, a picture is worth a thousandnwords. Graphs and charts are very much the way to get your message across.nWant to show a horror story but remain impartial? Draw a line graph showingnvulnerabilities or overdue patches increasing over time, and use annindustry-standard classification (for example, the definitions in thennCVSS specification) to paint things red, amber and green. You’re giving them facts and showingnthem what they mean. n
nn
nAccessible Language
nn
nnAnd this latter concept is the tricky part with any communication to seniornteams: putting things in a language they understand. Graphs are greatnbecause everyone understands what a “red” classification means, but whatnabout when it’s not just about the numbers and you can’t graph it? Now younneed to learn the language of risk, because that’s the common denominatornthat all executives and board members should understand. The most commonnapproach is to measure the likelihood of something happening (1 = highlynunlikely, 5 = almost certain) and the impact should it happen (1 = tiny, 5 =nvast). Speak with your risk team and get a copy of the measures they use tondefine each of these (for example, an “impact” score of five may mean anfinancial cost of $5million or more, or the loss of at least 30% of thencustomer base). Senior management understand risk, so if you can put cybernissues in that language, you’re on a winner.n
nnOn the subject of risk: don’t just show each risk and leave it there. Ifnthere’s a clear action that can be taken to take the likelihood of a majornrisk from a five to a three, write it down (and include the time and cost).nBoards love it when they’re told: “It’s a level-five critical risk, but withn$50,000 and six months we can bring it down to a three” – they can thennchoose whether to accept it in its current form or agree for you to take thenactions and spend the money.n
nnReturning to a previous point, we said earlier that you shouldn’t be givingnyour opinion in the reports you give to senior management. However, ifnyou’re at the meeting and they ask you what you think: tell them. But do itncalmly and justify what you’re thinking – a rant will do nobody any good.nGenerally speaking, the questions won’t be wide open: rather, you will benasked for your view on the implications of something in the report – so benlogical and explain what could happen and how likely it is.n
nn
nBe Prepared to be the Bearer of Bad News
nn
nnOne last thing: if you are new to your role, and this is your firstninvitation to a meeting with senior management, bear in mind that you mightnbe the first person to be telling them something bad. “Why has nobody toldnus this before?” is a surprisingly common question in board meetings,nparticularly in the area of cybersecurity – because the security functionntends to report into the CIO or CTO and there is often a tendency for badnnews to be represented as a far less negative message by the person whosensystems, people and processes are responsible for the situation being asnpoor as it is.n
n- n
- n ISC2 Executive Leadership courses includes a course onn n Presenting to Your Board of Directorsn n n
- n Read our recent article onn n Bridging the Gaps Between Security Teams and Leadershipn n n
- n Watch our recent webinar onn n Board Level Reporting Metricsn n n