How to calm your board’s nerves about cybersecurity

Keith Turpin has seen some dire mistakes made in front of boards of directors, especially when cybersecurity is on the agenda.

“I’ve seen people go into board meetings with a network diagram,” says the chief information security officer for Dallas-based Universal Weather and Aviation. “You might as well be showing them a crop circle.”

As you’ll learn while reading our story “Boards Are on High Alert Over Security Threats,” Turpin took an innovative show-and-tell approach to convince his board to fund a security program overhaul. He built a small door and fastened it shut with several locks, then he wheeled it into the boardroom and proceeded to open the door by picking the locks one by one. What had looked quite secure was in fact quite vulnerable.

Managing the board’s FUD–fear, uncertainty and doubt–on matters related to cybersecurity is a top priority for CIOs and CSOs everywhere. That’s hardly surprising, given the frantic drumbeat of media coverage, high-profile hacks of famous companies, and staggering statistics about rising cybercrime. There were more than 42 million breaches last year, with an average financial hit of $2.7 million. Even worse: Nearly three-fourths of the victims were clueless about the breach for months afterward.

Ready for some good news? The more the board is engaged with and educated about cybersecurity issues, the stronger the IT security profile of that company. CIOs and CSOs who excel at this particular brand of FUD management find that regular, calming, easily understood communication with the board translates into robust funding for security programs.

Our story spells out some smart approaches to take with those nervous directors, and provides specific guidance about how to lead board conversations away from cyber-scare stories and back onto the familiar ground of business risk management.

“Boards don’t know what they need to know,” says Lloyd Boyd, CIO of Shale-Inland Holdings in Houston. “It’s important for us as CIOs to effectively communicate these issues in practical terms. We’re going to be a victim at some point, and we need to be prepared.”

For CIO Scott Angelo of K&L Gates, defining risk for his board meant talking about vulnerabilities that need to be managed–such as the types of people most likely to want illegal access to the law firm’s data. “I wanted them to focus on what the true threats are,” he says. “Then you know where to spend your money. That there is the secret sauce.”