1. Use of Technical Security Language
When giving presentations to stakeholders, CISOs need to be careful about the language they use. If they get too technical, they will lose their audience. Stakeholders are rarely security experts, so using overly technical jargon is counterproductive. Tip: Be as concise as possible, use appropriate pacing, and visualize instead of using a lot of words.
2. Focus on the Wrong Threat Impact.
CISOs should be able to make it clear that cyber threats can have business implications. In other words, they should emphasize how IT security enables the business to enter new markets and reduce annual risk of loss. Here, it is particularly helpful to know the key performance indicators (KPIs) to show the impact of threats on these KPIs. Ideally, a Return on Security Investment (ROSI) calculation should be performed to show the relationship between the expenditure on information security measures and the risk of loss due to cyberattacks.
3. No Transparent Reporting Of Cyber Risks
CISOs often report on the cyber risk situation based on their tools. However, this misses the mark. Not all risks are the same. Risk assessments therefore lack the context that legitimizes countermeasures. To make the security risk in an organization measurable, we at IT-Seal have introduced the Employee Security Index (ESI®). The ESI® benchmark is a scientifically based, reliable – at the same time standardized – metric to measure the security level in companies and to track its evolution throughout the security awareness training.
4. Failure To Prepare For Potential Questions
Board meetings are not a good place for surprises. CISOs need to avoid being blindsided by questions they can’t answer. So your preparation should include more than just the content of the presentation slides. You should also think about what questions stakeholders might ask. Good for you: We at IT-Seal provide you with the answers to the crucial questions as part of our full service. As our customer, you will receive quarterly reports from your personal Security Awareness Consultant, showing the development of the Security Awareness Training: How do the employees accept the training and in which ESI® area do you currently stand (in the individual departments, but also as a whole company). In addition, there are specially prepared reports for the management.
5. Portray Cybersecurity As A Cost Center
A common mistake CISOs make when talking to the board is not addressing the outdated view that security is a cost center. This mindset needs to change! CISOs should help the board see IT security as a business enabler that drives growth and innovation. CISOs can win board buy-in by demonstrating that IT security is a revenue driver, not a costly function.
6. Not Investing In Relationships Outside The Boardroom
CISOs should not fail to engage with board members outside the formal boardroom context. Addressing issues outside of formal channels helps build relationships and ensures that the content is appropriate and understandable to those who need to be reached. This point is held in particularly high regard at our company. Right from the onboarding of a new client, we provide a set of communication templates to help CISOs get other stakeholders on board and address their questions.
At IT-Seal, we know how important it is for the entire organization to be on board with cybersecurity. Because that’s the only way there can be a sustainable security culture for the entire company. You want to know more about our service? Then get in touch now and test our free phishing demo.