October 21, 2019

October 21, 2019

Subscribe to Latest Legal News and Analysis

Cybersecurity Reporting to the Board

This week CISO Executive Network meetings centered around effective ways to report cybersecurity progress to your leadership Board. As one who frequently presents to Boards, educates Boards and is on several Boards myself, and despite the fact that this was not the first time I have attended a session discussing the gap between information security and the Board, it was a great conversation. The following are 10 takeaways that I thought I would share:

  1. Assess honestly whether you are the right person to report to the Board. If you are not a good speaker or have a difficult time focusing or connecting with a group, recruit someone more effective to report to the Board. Keep to your strengths.

  2. During your first time reporting to the Board, tell them your qualifications to garner respect and their attention.

  3. Pick one to two topics, don’t get too detailed, and stay focused.

  4. Provide a general assessment of cyber progress, then discuss your chosen topic(s).

  5. Stay positive and refrain from always reporting on doom and gloom.

  6. Don’t get too far in the weeds and don’t get too techy—if you see Board members’ eyes wandering or glazing over, you are losing them.

  7. If you are reporting on an incident or a strategy to respond to a weakness or vulnerability, provide a synopsis of what happened or what needs improvement, what you are doing to respond to it or improve it, and that you will keep them advised of progress.

  8. Don’t throw your boss under the bus.

  9. Consider using easy to read dashboards or other ways to provide a synopsis.

  10. Consider turning open and unfilled staff positions to provide support for other needs, such as an analysis of vendors and tools that could save the company money.

Boards know that cyber risk is a top priority, read about it in the news, and are afraid the organization will be the next one to suffer a breach. Understand that they usually don’t have a technical background, so keep the technical discussions simple. Focus on cyber risks and your strategy for managing it. Above all, get in the Board room, develop relationships with your Board members and involve them in solutions.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...