In Chapter 6 we turn to our interactions, as CISOs, with our management and our board of directors. As the authors note, there is a heightened awareness of cybersecurity within both the senior management team (what we often refer to in this book as the “C-suite”) and the board of directors. This heightened awareness comes from the ever-increasing profile of cybercrime and the concomitant increase in scrutiny from regulatory bodies, whether to protect our critical infrastructure or protect the victims of breaches and leaks. While this heightened scrutiny is both expected and in many ways needed, our authors make the point that our higher calling is to be the best partner we can be to our peers within our organization.
Bill Bonney brings three points front-and-center: your role as the CISO within your organization, the roles of the individuals with whom you are communicating, and the outcome you wish to get from these encounters. To Bill, the key outcomes are to inform, collaborate, and take action. Bill also asks the reader to consider the natural filters as well as the differing duties that each member of their audience brings to the conversations. As the CISO, he reminds us, you will need to supply the narrative so that the narrative is not provided for you.
Matt Stamper implores us to take our duty to the board and to our management team very seriously and realize that how we communicate the status of our security program and our risk posture matters greatly. He provides the point of view of a member of the board as a unique and informed way to clearly describe what a board member is concerned about, how they expect to be informed, and what they will do with the information they are provided. Through his narrative, he helps CISOs to be more effective in advocating for their requirements.
Gary Hayslip articulates one of the new fears that members of the board harbor when it comes to cybercrime: “… if their company will be next.” Gary also emphasizes how important it is to form relationships within the organization in order to keep constant tabs on the competing business objectives, both to inform the CISO about the needs of the organization and to tailor briefings to enable better outcomes. Gary provides a treasure trove of “been there, done that” advice for new and aspiring CISOs on how to make the most out of the extraordinary opportunities that CISOs now have to participate with senior leadership and influence the board of the modern company.
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.