CIOs need to provide their companies' boards of directors with regular, easily understood briefings on data security, and steer the conversation toward the familiar ground of business risk management Credit: Thinkstock Keith Turpin has seen some dire mistakes made in front of boards of directors, especially when cybersecurity is on the agenda. “I’ve seen people go into board meetings with a network diagram,” says the chief information security officer for Dallas-based Universal Weather and Aviation. “You might as well be showing them a crop circle.” As you’ll learn while reading our story “Boards Are on High Alert Over Security Threats,” Turpin took an innovative show-and-tell approach to convince his board to fund a security program overhaul. He built a small door and fastened it shut with several locks, then he wheeled it into the boardroom and proceeded to open the door by picking the locks one by one. What had looked quite secure was in fact quite vulnerable. Managing the board’s FUD–fear, uncertainty and doubt–on matters related to cybersecurity is a top priority for CIOs and CSOs everywhere. That’s hardly surprising, given the frantic drumbeat of media coverage, high-profile hacks of famous companies, and staggering statistics about rising cybercrime. There were more than 42 million breaches last year, with an average financial hit of $2.7 million. Even worse: Nearly three-fourths of the victims were clueless about the breach for months afterward. Ready for some good news? The more the board is engaged with and educated about cybersecurity issues, the stronger the IT security profile of that company. CIOs and CSOs who excel at this particular brand of FUD management find that regular, calming, easily understood communication with the board translates into robust funding for security programs. Our story spells out some smart approaches to take with those nervous directors, and provides specific guidance about how to lead board conversations away from cyber-scare stories and back onto the familiar ground of business risk management. “Boards don’t know what they need to know,” says Lloyd Boyd, CIO of Shale-Inland Holdings in Houston. “It’s important for us as CIOs to effectively communicate these issues in practical terms. We’re going to be a victim at some point, and we need to be prepared.” For CIO Scott Angelo of K&L Gates, defining risk for his board meant talking about vulnerabilities that need to be managed–such as the types of people most likely to want illegal access to the law firm’s data. “I wanted them to focus on what the true threats are,” he says. “Then you know where to spend your money. That there is the secret sauce.” Related content feature The CIO’s new role: Orchestrator-in-chief CIOs have unique insight into everything that happens in a company. Some are using that insight to take on a more strategic role. By Minda Zetlin Dec 04, 2023 12 mins CIO CIO CIO opinion Fortifying the bridge between tech and business in the C-suite To be considered a tech-forward company today, there has to be a focus on tech fluency across the C-suite, which creates a unique opportunity for CIOs to uplevel their roles and expand their footprint across the enterprise. By Diana Bersohn and Rachel Barton Dec 04, 2023 7 mins CIO CIO CIO brandpost Sponsored by G42 Understanding the impact of AI on society, environment and economy By Jane Chan Dec 03, 2023 4 mins Artificial Intelligence opinion Website spoofing: risks, threats, and mitigation strategies for CIOs In this article, we take a look at how CIOs can tackle website spoofing attacks and the best ways to prevent them. By Yash Mehta Dec 01, 2023 5 mins CIO Cyberattacks Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe