Bridging the Gap: How CISOs Can Better Connect with Boards
I couple of days ago I had the pleasure to discuss this important topic of CISO-to-C-Level interaction with two prominent experts, John Madelin and Ursula Morgenstern. John is prominent CISO who advises universities and government on cybersecurity incident prevention policy. Ursula is a C-level business leader who has run major ($-billions) business units for Atos and Cognizant. She and John shared their insights on the often strained relationship between Chief Information Security Officers and the boardroom. Their conversation shed light on the challenges and opportunities for CISOs to engage more effectively with their boards.
The Disconnect: Technical Overload and Business Relevance
John’s research highlights a significant issue: CISOs frequently present information that is overly technical and disconnected from the broader business context. Boards often receive presentations laden with jargon—think terms like “Zero Trust,” “PKI,” “Click Rates” and “SIEM correlation”—which can obscure the strategic value of cybersecurity efforts. This technical focus can lead to inconsistent messages and a lack of clarity about organizational obstacles, such as IT fragmentation and legacy technical debt.
Ursula, a former board member and C-level executive, echoed these concerns. She noted that cyber risks are often not framed as part of the overall business risk profile, leading to a focus on technology rather than business impact. CISOs, she observed, sometimes catastrophize risks and struggle to communicate in business terms like ROI and financial impact.
It’s All About Engagement: Storytelling and Business Alignment
John emphasized that engaging with the board requires a shift in communication style. Successful CISOs use storytelling to make their points. For instance, incorporating real-world examples of cyber threats—such as those from the Lazarus Group or Cozy Bear—can effectively capture the board’s attention. The key is to mix these stories with actionable insights and align them with the company’s strategic goals. The attack chain used in each event provides rich opportunity to tell a story that highlights the risky points in current business processes.
Ursula agreed with John on the need for engaging presentations but added that they should also be interactive and foster debate. She stressed that CISOs should tailor their communication to the board’s knowledge level and ensure sessions are pleasant and productive.
Navigating Board Access and Human Risk Management
Access to the board can be a significant hurdle for CISOs. Ursula recommended building strong stakeholder relationships, finding allies, and aligning with business priorities to secure boardroom time. This involves educating peers in other functions, such as HR, about cybersecurity’s role in the organization.
John concurred, noting that human error is a major factor in cyber incidents. He suggested that instead of focusing on how many users clicked on phishing emails, CISOs should engage the board in proactive detection and response strategies, emphasizing the importance of business enablement.
Cultivating a Cyber Culture
The concept of a “cyber culture” was also discussed. Ursula argued that the focus should be on integrating cyber practices into the broader corporate culture rather than creating a separate one. Leadership at the highest level must embed cybersecurity into the company’s core values, such as customer safety and product quality.
John highlighted the importance of leadership buy-in and suggested that effective safety cultures involve pragmatic, outcome-oriented interactions with the CISO, focusing on the most critical risks without getting bogged down in unnecessary details.
The Role of the Board and CEO
Finally, Ursula stressed that the board and CEO play a crucial role in shaping the CISO function. They need to define what kind of CISO is required, provide mentorship, and support ongoing training to ensure that the CISO can effectively meet the organization’s cybersecurity needs. Leadership needs to own the cybersecurity problem. The CISO plays an important role in helping leaders and boards make business decisions that protect sensitive data or IP.
In summary, improving the relationship between CISOs and boards involves focusing on business relevance, adopting effective communication strategies, ensuring board access, integrating cybersecurity into corporate culture, and evolving professional education. By addressing these areas, CISOs can better align their efforts with business goals and enhance their overall impact.
The podcast recording can be found here: https://youtu.be/SZLl79_b68U