What boards want and don’t want to hear from cybersecurity leaders

Paul Connelly, former CISO turned board advisor, independent director and mentor, finds many CISOs focus too heavily on metrics while the board is looking for more strategic insights. The board doesn’t need to know the results of your phishing test, says Connelly. Boards are focused on risks the organization faces, strategies to address these risks, progress updates, obstacles to success, and whether they’re tackling the right things.

“I coach CISOs to study their board — read their bios, understand their background, and understand the fiduciary responsibility of a board,” he says. The goal is to understand the make-up of the board and their priorities and channel their metrics into risk and threat analysis for the business.

Using this information, CISOs can develop a story about their program aligned with the business. “That high-level story — supported by measurements — is what boards want to hear, not a bunch of metrics on malicious emails and critical patches or scary Chicken Little-type of threats,” Connelly tells CSO.