How to Talk Security in C-Suites and Boardrooms
If you had half an hour with a board member and you wanted to get coaching from them about how to communicate with them about security, what would you ask them?
In a few weeks’ time, I will have just that opportunity when I facilitate a panel with some prominent board directors. Getting inside the mind of the C-suite in a relaxed environment is not an opportunity I have every day. These are the senior executives who generally support (or otherwise) our daily efforts of cyber safety. I feel that I want to understand them more than I do at the moment.
And I’m thrilled to have this opportunity in a relatively relaxed manner (if you call a panel discussion at a conference relaxed, that is). This is important, as it’s a very different conversation from the usual intense conversations that I usually have with these stakeholders. We are often intensely discussing cybersecurity strategies, funding, or an incident.
The topic of how to talk to and influence boards/executives/business on security has been a highly fashionable subject of discussion in security communities the world over for years now. I myself have published reports and delivered presentations and roundtables on this very topic. As many security leaders of my vintage, I have also had to deliver presentations, artifacts, and messages to these stakeholders. Although I’ve received some feedback on these presentations, I am just not sure that I have fully stopped to hear it from their perspective! How do they need me to work with them?
Personally, I want to know:
- What do boards and executives themselves actually want to know about security? How does this compare to what we security folk think they need to know?
- How much detail would they need?
- How do they prefer to receive this information?
- And perhaps more importantly, what do they not care about?
- What do they want their relationships with their CISOs to be like? How often do they want to catch up, for example?
- What do they see as the most important cybersecurity initiative in their organization at the moment? What has been the single best practice they’ve experienced?
I would love your views. Add any questions you’d want to ask, and I will look forward to including some of the responses and learnings in my future research.
Help me help all of us bridge that language gap!