One of the major issues facing chief information security officers (CISOs) is dealing with board of director members who might be, to put it politely, not very tech savvy, said panelists at SC Congress Chicago.
Even with this situation being in place there are methods CISOs can use to get across to the board members the importance of cybersecurity. This includes using terminology that is easily understood, to tell the board only what it needs to know and not get its members bogged down in unnecessary details.
“A major issue with a board is it is probably made up of older individuals who may not understand technology,” said Melissa Ventrone, an attorney with the firm Wilson Elser, Moskowitz Edelman & Dicker. She added that one of the major disconnects that takes place is that the language used by security professionals can be foreign to the board members so one must make an effort to explain what is happening in layman's terms.
Complicating this state of affairs, said Kevin Novak, CISO and IT risk manager with Northern Trust Corp., is many security staffers have their own issues when it comes to communicating incredibly complex issues to an average person.
“We need to work on the soft skills that many security professionals lack,” he said.
One possible solution to this problem that was raised was whether or not it is a good idea for a CISO to sit on the board itself, thus bringing a level of technological savvyness to the situation. That general idea was downplayed by the panelists, but all believed CISOs need to be viewed as being on the same level as other C-suite executives.
“A CISO should be treated with a CIO or CFO level of respect, but a CISO should probably not sit on the board,” said Mike Gibbons, CISO for Edward Jones.
Ventrone agreed saying the average CISO simply does not have the time to spend as a board member, while Novak concluded a CISO is better off just using the time he or she has wisely when given face time with the board delivering pertinent facts and not bogging them down with details.