Effective Risk Communication for CIOs and CISOs

In today's evolving threat landscape, CIOs and CISOs must effectively measure and communicate cybersecurity risks to secure investment in security strategies. With new regulations and the increasing recognition of cybersecurity as an organizational risk, reframing risks in the context of organizational outcomes is crucial. A leadership team that understands the balance between risk, investment, and outcomes is key to enhancing operational resilience.

Recently, CIOs and CISOs in the Washington, DC Community came together to discuss how to communicate risks effectively and secure buy-in for cybersecurity investments. Brandon Wales, Vice President, Cybersecurity Strategy at SentinelOne kicked off the session, and Washington, DC Community members Mark Booth, SVP and CIO at Perdue Farms, Jonathan Fowler, CISO at Consilio, and Shilpa Jasthi, Head of Information Security, Infrastructure and Workforce Technology at College Board led the discussion groups.
 

Key Takeaways from the Discussion
 

1. Communicating security challenges to leadership

CIOs and CISOs in the discussion reiterated that their job is not only security, but also risk management. A good place for IT and security leaders to start is to ensure they understand and can articulate the nuances in their organization's unique threat model. As one executive explained, this includes “not just well known and obvious things, but also risks that are unique to you and your network.”

The executives cautioned against using “FUD” (fear, uncertainty and doubt) when communicating about cyber threats to the board and other stakeholders. As one CIO commented, “You want to give leadership a solid review of the cyber landscape, but don’t scare them – it’s a delicate balance.” Others agreed that it’s best to provide facts and data and advised against “introducing fear to get people to do something.”

A CISO shared that you have to be cognizant of what you are leaving out of presentations, as well, noting: “Be mindful of what information you leave out because you are making the decision for them.” 

Overall, CIOs and CISOs agreed that you have to know your audience and their level of sophistication with technical details and provide actionable recommendations to them. As one technology executive said, “Frame it in the language of risk to the business.” 

One CIO also shared that you cannot always position security investments as providing ROI, but possibly as savings or reallocation to other priorities – which is still valuable to the board. 
 

1. Addressing regulations and SEC rules on board engagement in cybersecurity

Most executives in the discussion indicated that new rules and regulations are not currently impacting how they communicate about cybersecurity with the board although a few mentioned that EU regulations could be affecting multinational companies. Others noted that rules can “generate interest” from the board in how they are managing regulations, in general. 

One CISO commented that regulations can help drive security requirements and prioritization. Several executives mentioned that privacy rules – and the complex privacy landscape, in general – had caused them to prioritize implementing related security changes.
 

1. Balancing security with broader operational needs

CIOs and CISOs in the discussion shared their thoughts on how to strike a balance between business needs and managing risk. Several executives referred to the right level of “friction,” with one asking, “How do you have the right amount of friction so that you’re not blocking anything, but not doing minimal job on security, either?”

Others shared that they collaborate with each other in IT and security to continuously assess the risk management framework and business requests and then weigh the tradeoffs. One CISO said that they have a “get to yes plan” with their CIO because “we support growth and can’t be naysayers.” Another security leader observed that the nature of compromise is such that “we all live in a scenario where no one walks away totally happy.” 

Another CIO noted that their organization’s vendors and suppliers have had four incidents in four years, and others agreed that third party risk management remains a challenge. 

Overall, executives agreed that their role as CIOs and CISOs is to prioritize the risks to the organization. As one CIO summarized it, the objective of their communications with the board should be “here’s where we are, here’s where we are improving, here’s how prepared we are, and here’s how we are maturing in our processes.”

For more opportunities to discuss measuring and communicating risk with other CIOs and CISOs, apply to join your local Evanta Community. If you are already a member of an Evanta CIO or CISO community, sign in to MyEvanta to register for your upcoming community programs.