Winston Churchill famously said, “never let a good crisis go to waste.” But, if a CXO only appears in front of the board when trying to keep their job after a cyber incident, a crisis may well lay waste to their career.
Breaches, malware, and ransomware are rampant, and successful CXOs should be proactive in educating boards and executive leaders about potential gaps in their security plan, along with a strategy for addressing those gaps before an incident occurs. In other words, I would rather warn my board of a risk than inform them of a breach.
In their book Cyber Mayday, which covers how leaders can prepare for adverse cyber events, Dan Lohrmann and Shamane Tan write that "If the only time they see you is when there's a problem, they associate you with the problem." IT professionals from help desk staffers to executive leaders know the feeling of only being in the limelight after something's gone wrong.
That means that even the most successful CXOs – those who rarely encounter an issue worth escalating to a chief executive or corporate board – run the risk of their work going unnoticed. Until it doesn't. Notable cyber incidents are almost inevitable for organizations of any significant size, and any executive could at some point be called before a board to explain how a hack or a data leak happened.
Consider these strategies for getting in front of the board more than just when things have gone sideways.
Plan periodic briefs on the latest developments in cybersecurity
As the SEC looks to get more involved in questions of cyber readiness in the boardroom, this is an excellent opportunity to enhance the cyber literacy of key leadership. This can be part news rundown, part awareness training. Just make sure presentations aren’t overly technical and be prepared to explain why what you’re telling the board matters. In other words, not only that your team has charted a rise in business email compromise activity, but how the board could eventually be targeted and what tactics to be on the lookout for. Come prepared to discuss how your information sessions are relevant to the wider business.
Benchmark your readiness against peer organizations
Every organization’s cybersecurity posture is a reflection of its risk tolerance. Create context for leadership teams by briefing them on how companies of similar size, in related verticals, and across geographies are approaching security. Make use of tools like BitSight, SecurityScorecard, or another cybersecurity rating platform to illustrate your point. Additionally, you may want to draw from conversations with peers and professional networking to suggest initiatives you may want to pursue, pitfalls to avoid, or core areas of focus for various timelines. Together with awareness training initiatives, this will help leaders understand where they stand in relation to similar organizations and the broader threat landscape.
Address resource gaps and security issues that may arise as a result
The cybersecurity skills shortage is well known across industries. But how is it being felt in your organization specifically? Is a lack of development talent putting your cloud-first strategy at risk? Is QA being sacrificed for an ambitious go-to-market timeline, and what security issues might that present? Will understaffing simply mean future initiatives will need to be pushed back to accommodate more pressing projects? Be sure your board knows about any disparities between resources and ambitions and what that might mean for the wider organization. Should a security incident occur, and you’ve been upfront about security gaps in your communications, at least you appear proactive.
Taking a seat at the table
Whether you just stepped into your role, or you have been there for years, identifying and escalating a risk is always better than explaining an incident. Educating the board on those risks – whether technical, financial, or staff-related – will only increase your value to the organization.
If you don’t have it today, you’re looking to establish a permanent “seat at the table.” From there you can influence and educate decision-makers on how vital your role is to protecting and enabling the organization to accomplish its goals. Rather than stressing how important your role is after a breach makes it plain, take responsibility for making your impact known.
What to read next
NACD Boardtalk: Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust