{"id":66055,"date":"2023-07-25T15:34:09","date_gmt":"2023-07-25T13:34:09","guid":{"rendered":"https:\/\/10guards.com\/?p=66055"},"modified":"2023-07-25T16:07:32","modified_gmt":"2023-07-25T14:07:32","slug":"4-key-mistakes-ciso-make-at-board-meetings","status":"publish","type":"post","link":"https:\/\/10guards.com\/fr\/blog\/2023\/07\/25\/4-key-mistakes-ciso-make-at-board-meetings\/","title":{"rendered":"4 key mistakes CISO make at board meetings"},"content":{"rendered":"

D\u00e9sol\u00e9, cet article est seulement disponible en en<\/a> et ua<\/a>.<\/p>

Presenting to the board is a challenging opportunity. CIOs and CISOs would be wise to check their assumptions, know their audience, anticipate off-agenda questions, and steer clear of scare tactics.<\/p>\n

 <\/p>\n

It\u2019s not uncommon for CIOs, CISOs, and sometimes their direct reports to be called on to board meetings or to present IT strategies and plans to their boards of directors. If you don\u2019t join board meetings often, preparation is paramount, starting with learning about the directors\u2019 backgrounds and reviewing minutes from previous meetings. And if you\u2019re presenting, it\u2019s best to consult with colleagues about how the directors discuss, debate, and finalize key decisions.<\/p>\n

 <\/p>\n

Best practices for board meetings abound. With that in mind, here are 4 common mistakes IT leaders make when participating in board meetings.<\/p>\n

 <\/p>\n

They assume their board lacks technical expertise<\/strong><\/span><\/p><\/blockquote>\n

 <\/p>\n

In 2019, MIT reported that only 24% of US boards of companies with over $1 billion in revenue were digitally savvy.\u00a0A more recent review<\/a>\u00a0reports that only 51% of Fortune 100 companies and 9% of Fortune 200 through 500 organizations have a director with relevant cybersecurity experience.<\/p>\n

 <\/p>\n

While these numbers suggest a significant technical and security gap on the boards of large enterprises, it would be a mistake for a CIO or CISO to assume their board lacks digital, data, security, or other technical acumen.<\/p>\n

 <\/p>\n

\u201cThe structure of the boards have changed over the last few years with many being augmented with technology folks, including ex-CIOs in many cases,\u201d says Manoj Tiwary, CIO of Subaru Canada. \u201cSo identify one of the board members as your champion. Make sure you work with this champion outside of the board setting to ensure alignment and adoption of your technology strategy.\u201d<\/p>\n

 <\/p>\n

They favor technical jargon and convoluted answers<\/strong><\/span><\/p><\/blockquote>\n

 <\/p>\n

\u201cCIOs can\u2019t answer questions about key or current IT issues through unintentional, or perhaps intentional, obfuscation,\u201d says Joe Puglisi, a former CIO and now an investor, advisor, and board member. \u201cNothing baffles the board more than a long string of techno-babble mumbo-jumbo.\u201d<\/p>\n

 <\/p>\n

It\u2019s important to avoid speaking technical jargon, but sometimes you\u2019re asked to define a technical term or explain a technology. One approach is to answer technical questions with analogies from your industry. We both worked in the construction industry, so, for example, we might help these executives understand Scrum in software development by comparing it to design-build and agile construction project methodologies.<\/p>\n

 <\/p>\n

They resort to scare tactics or security risks<\/strong><\/span><\/p><\/blockquote>\n

 <\/p>\n

We all know the saying \u201cNever waste a crisis\u201d as a tool to bring attention to the big investments no one wants to make.<\/p>\n

 <\/p>\n

Sometimes you need a spark to create a sense of urgency, but don\u2019t take this approach too far. I once heard a CISO say, \u201cIf you can\u2019t convince the board, then scare them,\u201d which might get a CISO a yes to an investment, but lose credibility over time.<\/p>\n

 <\/p>\n

If presenting isn\u2019t your best skill, or you only have a few minutes to present, storytelling may confuse directors, says Tony Pietrocola, president and co-founder of AgileBlue. \u201cThe problem with boards truly understanding if the enterprise is protected against cyber threats is they\u2019re generally not technical, so the CIO or CISO might answer the question in a confusing narrative,\u201d he says.<\/p>\n

 <\/p>\n

Jay Ferro, EVP and chief information, technology, and product officer at Clario, and Allata board member, shares examples of how not to answer the board\u2019s questions about security risks. \u201cDon\u2019t say, \u2018We\u2019re trying our best and hope we\u2019re protected,\u2019\u201d he says. \u201cNo one can guarantee total security. So, it\u2019s hard to say if we\u2019re safe from all threats. Also, don\u2019t overstate your security readiness by saying, \u2018Our security posture is robust, and the countermeasures we\u2019ve implemented completely protect our organization from any threats.\u2019\u201d<\/p>\n

 <\/p>\n

So what should CISOs do to ensure the board understands the security risks without storytelling or using scare tactics?<\/p>\n

 <\/p>\n

Pietrocola recommends using security benchmarks to help directors understand the risks. \u00a0Ferro, meanwhile, recommends discussing the business impacts of high-risk areas and reviewing their remediation plans.<\/p>\n

 <\/p>\n

They answer vaguely or lack anticipation<\/strong><\/span><\/p><\/blockquote>\n

 <\/p>\n

CIOs and CISOs need to understand what information is important to share at the board level. Presenting too many slides is problematic because directors will lose interest. Summarizing with too few slides may leave out key details on the problem statement, growth opportunities, market trends, and other details that connect business and customer needs with technology strategy.<\/p>\n

 <\/p>\n

\u201cThe last thing we should be doing is present a technology strategy built in isolation at a board meeting, which is out of alignment with the business objectives or not meeting the board\u2019s expectation,\u201d says Tiwary.<\/p>\n

 <\/p>\n

Here are other examples of questions directors ask about digital transformation initiatives and what an awful response sounds like.<\/p>\n

 <\/p>\n