As Cybersecurity Evolves, So Should Your Board
Business Lab - A podcast by MIT Technology Review Insights
Executives need to clearly communicate risks but also bring context to data. Tech talk is out: speaking the same language will win the day. It’s drilled into the heads of board directors and the C-suite by scary data-breach headlines, lawyers, lawsuits, and risk managers: cybersecurity is high-risk. It’s got to be on the list of a company’s top priorities. But how many directors get lost in the technicalities of technology? The challenge for a chief information security officer (CISO) is talking to the board of directors in a way they can understand and support the company. Niall Browne, senior vice president and chief information security officer at Palo Alto Networks, says that you can look at the CISO-board discussion as being a classic sales pitch: successful CISOs will know how to close the deal just like the best salespeople do. “That's what makes a really good salesperson: the person that has the pitch to close” he says. “They have the ability to close the deal. So they ask for something.” “For ages,” Browne says, CISOs have had two big problems with boards. First, they haven’t been able speak the same language so that the board could understand what the issues were. The second problem: “There was no ask.” You can go in front of a board and give your presentation, and the directors can look like they’re in agreement, nodding or shaking their heads, and you can think to yourself, “Job done. They’re updated.” But that doesn’t necessarily mean that the business’s security posture is any better. That’s why it’s important for CISOs to raise the board’s understanding to the level where they know what’s needed and why. Especially when it comes to new advances in cybersecurity, like attack surface management, which is “probably one of the areas that CISOs focus least on and yet is the most important,” Browne says. For example, “many times the CISO and the security team may not be able to see the wood from the trees because they're so involved in it.” And to do that, CISOs need a set of metrics so that anybody can read a board deck and within minutes understand what the CISO is trying to get across, Browne says. “Because for the most part, the data is there, but there's no context behind it.” This episode of Business Lab is produced in association with Palo Alto Networks.