1

4 key mistakes CISO make at board meetings

Извините, этот текст доступен только на “Английский” и “Украинский”. For the sake of viewer convenience, the content is shown below in one of the available alternative languages. You may click one of the links to switch the site language to another available language.

Presenting to the board is a challenging opportunity. CIOs and CISOs would be wise to check their assumptions, know their audience, anticipate off-agenda questions, and steer clear of scare tactics.

 

It’s not uncommon for CIOs, CISOs, and sometimes their direct reports to be called on to board meetings or to present IT strategies and plans to their boards of directors. If you don’t join board meetings often, preparation is paramount, starting with learning about the directors’ backgrounds and reviewing minutes from previous meetings. And if you’re presenting, it’s best to consult with colleagues about how the directors discuss, debate, and finalize key decisions.

 

Best practices for board meetings abound. With that in mind, here are 4 common mistakes IT leaders make when participating in board meetings.

 

They assume their board lacks technical expertise

 

In 2019, MIT reported that only 24% of US boards of companies with over $1 billion in revenue were digitally savvy. A more recent review reports that only 51% of Fortune 100 companies and 9% of Fortune 200 through 500 organizations have a director with relevant cybersecurity experience.

 

While these numbers suggest a significant technical and security gap on the boards of large enterprises, it would be a mistake for a CIO or CISO to assume their board lacks digital, data, security, or other technical acumen.

 

“The structure of the boards have changed over the last few years with many being augmented with technology folks, including ex-CIOs in many cases,” says Manoj Tiwary, CIO of Subaru Canada. “So identify one of the board members as your champion. Make sure you work with this champion outside of the board setting to ensure alignment and adoption of your technology strategy.”

 

They favor technical jargon and convoluted answers

 

“CIOs can’t answer questions about key or current IT issues through unintentional, or perhaps intentional, obfuscation,” says Joe Puglisi, a former CIO and now an investor, advisor, and board member. “Nothing baffles the board more than a long string of techno-babble mumbo-jumbo.”

 

It’s important to avoid speaking technical jargon, but sometimes you’re asked to define a technical term or explain a technology. One approach is to answer technical questions with analogies from your industry. We both worked in the construction industry, so, for example, we might help these executives understand Scrum in software development by comparing it to design-build and agile construction project methodologies.

 

They resort to scare tactics or security risks

 

We all know the saying “Never waste a crisis” as a tool to bring attention to the big investments no one wants to make.

 

Sometimes you need a spark to create a sense of urgency, but don’t take this approach too far. I once heard a CISO say, “If you can’t convince the board, then scare them,” which might get a CISO a yes to an investment, but lose credibility over time.

 

If presenting isn’t your best skill, or you only have a few minutes to present, storytelling may confuse directors, says Tony Pietrocola, president and co-founder of AgileBlue. “The problem with boards truly understanding if the enterprise is protected against cyber threats is they’re generally not technical, so the CIO or CISO might answer the question in a confusing narrative,” he says.

 

Jay Ferro, EVP and chief information, technology, and product officer at Clario, and Allata board member, shares examples of how not to answer the board’s questions about security risks. “Don’t say, ‘We’re trying our best and hope we’re protected,’” he says. “No one can guarantee total security. So, it’s hard to say if we’re safe from all threats. Also, don’t overstate your security readiness by saying, ‘Our security posture is robust, and the countermeasures we’ve implemented completely protect our organization from any threats.’”

 

So what should CISOs do to ensure the board understands the security risks without storytelling or using scare tactics?

 

Pietrocola recommends using security benchmarks to help directors understand the risks.  Ferro, meanwhile, recommends discussing the business impacts of high-risk areas and reviewing their remediation plans.

 

They answer vaguely or lack anticipation

 

CIOs and CISOs need to understand what information is important to share at the board level. Presenting too many slides is problematic because directors will lose interest. Summarizing with too few slides may leave out key details on the problem statement, growth opportunities, market trends, and other details that connect business and customer needs with technology strategy.

 

“The last thing we should be doing is present a technology strategy built in isolation at a board meeting, which is out of alignment with the business objectives or not meeting the board’s expectation,” says Tiwary.

 

Here are other examples of questions directors ask about digital transformation initiatives and what an awful response sounds like.

 

  • A director asks about the timeline for an initiative that just kicked off, and the CIO answers, “Well, we’ve just started, so there’s not much to share. We’re still trying to figure it all out, so we don’t have any significant progress or insights yet.” CIOs should always answer the question first and then provide supporting detail. A good response is, “We don’t have a timeline yet, but we’re conducting customer research and running a proof of concept around the technology. We’ll have findings in 30 days and a draft timeline soon afterward.”

 

  • Another director asks what IT is doing about generative AI, and the CIO answers, “AI and all these buzzwords sound exciting, but honestly, I’m not sure what difference they’ll make. They’re still pretty new, so we’re just taking a wait-and-see approach.” The problem with this answer is that boards expect CIOs to have a more substantive recommendation about emerging technologies and the business opportunities and risks, even if the executive committee isn’t prioritizing work around the technology.

 

The key for CIOs and CISOs is to be incredibly informed about the active initiatives, business opportunities, and emerging technologies impacting their business and industry. Even if a topic is not on the agenda, it’s fair game for a director to ask about it.

 

Source: cio.com

Related Posts

card__image

Zero-Day Vulnerabilities: Cases about Consequences from 17 members of Forbes Technology Council

Извините, этот текст доступен только на “Английский” и “Украинский”. For the sake of viewer convenience, the content is shown below in one of the available alternative languages. You may click one of the links to switch the site language to another available language. Zero-day vulnerabilities are flaws or weaknesses in software or an operating system […]

card__image

100% security — mission impossible?

Извините, этот текст доступен только на “Английский” и “Украинский”. For the sake of viewer convenience, the content is shown below in one of the available alternative languages. You may click one of the links to switch the site language to another available language. At some point CIOs and CISOs have inevitably to provide a smart […]

card__image

Zero Trust Security: Benefits and Disadvantages

Извините, этот текст доступен только на “Английский” и “Украинский”. For the sake of viewer convenience, the content is shown below in one of the available alternative languages. You may click one of the links to switch the site language to another available language. As threat actors become increasingly sophisticated, enterprises face a constant battle to […]