Briefing the board on security: Put data in the driver’s seat

With the annual costs of cybercrime in the trillions of dollars, the boardroom conversations CIOs have about cybersecurity are weighted with anxieties on both sides.

“We have a burning platform, and that’s a leadership opportunity” CIOs should step up and seize, says Bob Zukis, founder of the Digital Directors Network, an executive association that advocates for technology expertise on boards. “The board is focused on value-creating opportunities, so the two conversations need to go hand in hand.” 

Yet as technology topics go, information security has always been prone to geeky acronyms, cartoonish names for dangerous malware and technical complexities that defy concise explanations to businesspeople. 

“The easiest way to talk to the board about cybersecurity is to scare them. It’s not hard. There’s always something happening somewhere close to home,” says Greg Morrison, former CIO of Cox Enterprises and now a board director for Veritex Holdings. “But you can only do that once.” 

Far more effective as a strategy, Morrison adds, is for CIOs to cultivate knowledgeable advocates and tech champions among the board members. “If the board has a technologist, usually they’ll reach out to the CIO’s organization to get more perspective directly from that CIO. You can use that person to advocate for the message you want to convey.”

That’s what happened with former Sysco CTO Wayne Shurts after he joined the board of directors at Armstrong Industries last year. He met and connected with Armstrong’s CIO to collaborate on a cybersecurity presentation to the board. Since then, Shurts has spent time with the CIO’s staff enjoying his “deep dives” into Armstrong’s technology plans around IoT in manufacturing. 

Tell your story with data

Back when he was presenting cybersecurity updates to his board at food distribution giant Sysco, Shurts took a two-pronged approach. One part of that was to share a dashboard of specific cyber metrics at every board meeting, which gave the corporate directors a trend line to monitor throughout the year. 

The other part was to use storytelling to educate the board via whatever prominent security breaches were making news. “Whenever there was a very public breach, I’d talk to the board about what had happened since we last got together,” the longtime CIO and CTO recalls. “With the WannaCry (ransomware in early 2018) I talked through what it was, why it wouldn’t happen at Sysco, and what we learned about it. It connects when you’re telling a real story.” 

For Bron McCall, CTO at Utah-based Extra Space Storage, developing the ideal cybersecurity communications style for the board took some time to figure out. “In the past, I think I was giving them too much info. Their frame of reference was whatever they read in the news,” he explains. “They’d say, ‘Bron, can you guarantee that we’re protected?’ I can’t do that, but I could talk about best practices.”

The biggest win with the board, he says, came about after he and his security chief developed a scorecard using a NIST (National Institute of Standards and Technology) framework. “With this simple, consistent scorecard format, the board can see which way the needle is moving.” McCall credits Extra Space Storage board member Ashley Dreier, chief information and technology officer at HealthEquity, with the original suggestion to develop a scorecard. “She put that idea in our heads.”

Board members are especially attuned to stories drawn directly from data, says Joe Norton, a longtime IT executive with deep expertise in security and risk across several industries. “The very best way to approach the board is with pure data about what’s happening operationally,” says Norton, who currently serves as chief digital officer of a Chicago-based startup.

As an example of operational data worth sharing with the board, consider what your company’s spam filters are finding, he suggests. “How many flagged emails with malware are you stopping? Is that number going up? Down? How many are getting through?” At one of his former organizations, Norton wanted to evaluate the company’s risk posture before asking the board for a large investment in monitoring tools. “So we looked back at six years of security incidents.”

That six years’ worth of operational data delivered an unexpected reveal: “Fully 87% of our incidents were from phishing attempts, triggered by emails and employees taking inappropriate actions.” Rather than asking for a significant investment in additional monitoring capabilities, Norton and his team “reassessed and reprioritized” their funding request to the board.  

“Turn your business of IT operations and risks into a set of data I will understand,” he recommends, “and show me the trend lines.”