Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
Why CISOs shouldn’t reveal everything to the Board
Cybersecurity, once seen as a responsibility within IT, is now a business priority.
Australian businesses’ cyber spend will top $5 billion in 2021, and research shows that 90% of CISOs around the world now present directly to the Board, usually quarterly. Yet despite that direct line, communication rarely gives CISOs or Board members what they need.
CISOs face rapidly evolving threats, strained resources and high expectations. Churn is far higher than in other senior roles: almost a quarter of CISOs have been in their role for less than a year. A big part of the frustration CISOs experience lies in communicating the impact of cyber decisions in business terms, and contextualising hard data into business insights. Let’s unpack the communication disconnect, and see how we can change it.
The Board doesn’t need to see all the data
The classic CISO presentation to the Board tends to be data-driven. Many CISOs focus on things like how many attacks were repelled or new tools and procedures that have been adopted. This is to be expected, as the world of data points, dashboards and tools come naturally to technology leaders. While the metrics they share may be technical and presented in thorough detail, without a wider context, they are unlikely to gain much traction with Board members.
Making matters worse is the issue of CISO churn, where many newly-appointed CISOs have to wrangle inherited roadmaps or imported procedures, forcing them to present information in cookie-cutter templates.
And it makes a lot of sense for new CISOs to do this. Focusing on data and hard metrics is a great way to showcase quick wins and demonstrate performance. But focusing only on tangible metrics like successful responses to cyberattacks will tell your Board little about ongoing vulnerabilities, and may encourage blind optimism or create unrealistic expectations.
Detailed metrics also tend to turn off executives who don’t have a technical background. When cybersecurity is presented in a numbers-heavy, templated way, without an explanation of its potential to drive competitive advantage, executives can find it hard to see the value in unlocking bigger budgets.
What all this boils down to is a communication challenge. The metrics and data points should be used to support the insights and the story the CISO is presenting. Are threats predominantly internal or external? What are the business implications? Are cyber threats putting the company at legal risk? How much money could the company potentially lose if a cyberattack were to happen? Use data points judiciously, speak in terms of trends, and what those trends mean for the business going forward.
Talk about cybersecurity in terms of business risk and business growth
Individual departments in your organisation will have their own targets, and showing how cyber contributes to them is a vital first step. Cybersecurity is not just information security, it's an integral part of the business’s wider risk management strategy. Showing the Board that you understand what your business’s key assets are and how you plan to protect them is crucial to winning the Board’s confidence. And framing the discussion in terms of loss aversion and the costs of a breach is just one way to go about it. Explaining how solid cyber credentials and robust processes can open up new markets and win customer trust will help senior executives see that cyber is not just a cost centre, but a source of value creation.
Context is king when it comes to metrics
Performance metrics are useful for illustrating your team’s performance, but cyber maturity metrics are arguably more valuable. A performance metric might simply look at the number of cyber incidents, while maturity metrics are more holistic, assessing the impact of your initiatives over time. They’re thus a great tool for visualising how your efforts are driving positive change at an organisational level, and for measuring improvements. It’s especially helpful to compare your cybersecurity maturity with competitor or industry benchmarks, as it helps the Board see where they’re falling behind or beating the competition.
This is where matching metrics with cyber frameworks can be highly valuable. Aligning your reporting with an appropriate model such as Essential Eight, PSPF or AESCSF will allow you to benchmark your performance against a range of other companies’ data. That comparison can be a vital yardstick for senior executives looking for a comparison they can understand – one with the rest of the market.
Simplicity is a superpower
If technical metrics can overwhelm Board members, which metrics should you be showing? The answer will vary based on your organisation’s particular challenges. But moving from large numbers of operational metrics to a curated selection of key metrics that relate to risk and value will help your Board understand the challenges your organisation faces. Metrics are there to support your story, but they aren’t the star of the show. The star is your cybersecurity vision for your organisation. Taking a narrative-driven approach can simplify the key takeaways for your audience, and help turn data that might otherwise baffle your Board into compelling information that can be understood, acted upon – and funded.
There is no one-size-fits all approach to picking metrics, since every CISO’s goals are different. The power lies in how they’re presented, and using simple visuals to communicate them can be very effective. For example:
Flagging key security functions (identify, protect, detect, respond and recover) with icons
Indicating their state with traffic lights or a similar simple scale
Showing changing trends with an arrow or graph
Adding key discussion points and takeaways as bullets
It’s also important to highlight your team’s accomplishments and advocate for a bigger voice in business decisions. One way to do this is to position quantitative metrics (such as dwell time, new vulnerabilities discovered and new vulnerabilities resolved) alongside more qualitative updates (such as the actions taken to improve your security posture and their outcomes).
Metrics are there to support your story
When talking to your Board, you’re not just a CISO: you’re a translator, a teacher, an advisor and a salesperson. If you can present insights and metrics in a compelling narrative that resonates with the Board, you have the tools to get the support you need. That can have huge implications in terms of budget, decisions and the day-to-day work of your organisation, improving relationships and bringing the goal of cyber resilience ever closer.