By David Faraone, Sr. Consulting Director, Unit 42\n\n\n\nFor many Chief Information Security Officers (CISOs), reporting to the board of directors has been handled as a reactionary, albeit very necessary task. After all, it\u2019s the board of directors that sit atop the corporate governance model, so it is incumbent upon security professionals to keep them informed. But communicating about security incidents\u2014like the Log4j vulnerability, for example\u2014fielding requests based on regulatory requirements, or answering questions about a breach that happened in the same industry should definitely not be the only moments that CISOs engage their boards.\n\nOn the contrary, security professionals should be in regular contact with their boards, keeping them informed and educated and establishing mutual trust. Ultimately, working together with the board of directors helps create a better security posture\u2014something we all need.\n\nThe board\u2019s role as the fourth line of defense\n\nWhile the board is sometimes thought of as just another group that security leaders need to report into, this governance group can actually be much more.\n\nA board of directors can and should be thought of as the fourth line of defense for an enterprise\u2019s security. The first line of defense is the day-to-day security operations and capabilities managed by hands-on operational staff who are triaging incidences. The second line of defense is what we call the cyber governance function, while the third line is the internal audit and reporting function. So, the fourth line of defense is really the board of directors. It is critical that all four lines of defense are communicating effectively to eliminate gaps and create a cohesive cybersecurity operation.\n\nHow to proactively build trust with the board\n\nEnabling the board to be a partner for security and an effective fourth line of defense involves both sides trusting one another. For security professionals, this requires navigating what\u2019s important to the board in terms of three main elements:\n\nBring a return on security investment (ROSI) outlook\n\nWhen communicating with your board, it\u2019s important to make sure that everyone speaks the same language. It\u2019s no secret that board members aren\u2019t often cybersecurity experts. As a result, CISOs often struggle with what level of technical language to use\u2014sometimes even shying away from sharing certain technical information because they really just don\u2019t know how to communicate with these non-technical folks.\n\nI also often see CISOs that really emphasize technical elements but are not being successful at communicating risk from a business standpoint that the board understands. The sweet spot to communicating with the board is keeping the audience engaged and effectively communicating those risks without scaring them.\n\nWithin Unit 42, we use a term called ROSI to help communicate the return on security investment. It\u2019s vitally important for CISOs to articulate financially why certain security investments that are critical in the ROSI will be from a return perspective in terms of what assets are being protected and how they\u2019re being protected. The ROSI should also explain what the net gain for objective security maturity is for the organization, not subjective maturity.\n\nThe Unit 42 framework for communicating risk to the board\n\nOne of the primary responsibilities that a CISO has to the board is to communicate risk in a proactive and meaningful way. Palo Alto Networks Unit 42 has developed a framework for communicating risk to the board that encompasses the following key steps and items:\n\nReporting metrics: Be a leader, not a laggard\n\nWe often see organizations reporting mostly operational security operations center (SOC) metrics such as the number of attacks, alerts, closed incidents or how many unpatched operating systems there are to show progress. But really, that doesn\u2019t go far enough to translate cyber risk. Categorically, those SOC metrics should be considered as lagging indicators that result in reactive remediating measures.\n\nWe recommend CISOs present leading indicators that promote proactive security initiatives. A good example metric for a proactive leading indicator would be the number of third parties or supply chain risk management resources that have been assessed over the past 12 months. That metric shows not only how many high-risk supply chain resources there are but also how far the company is going in terms of validating the due diligence of those third parties.\n\nRecommendations for successful CISO\/Board communications\n\nBuilding a successful working relationship with any board is a process, but the very first key is to establish the relationship. Get to know your board and understand what resonates with them in terms of business risk. Knowing their focal issues is the only way you\u2019ll be able to communicate to them how you\u2019re protecting their best interests in terms of the business assets and the business imperatives.\n\nAlso, take a data-driven approach to what is communicated to the board. Eliminating subjectivity wherever you can places you in a better position, as you\u2019re simply stating the facts. That said, simply throwing up numbers on a slide doesn\u2019t work either. What works is storytelling. Board members like to understand the introduction, the plot, the climax, and the resolution. So don\u2019t just present data, but actually present the story behind it.\n\nAnd fundamentally, remember: the board is part of the solution. They\u2019re the fourth line of defense. As such, be sure to help enable and create a culture of empowerment, where leaders across the organization understand that security is everyone\u2019s responsibility.\n\n\n\nTo learn more, visit us here.\n\n\n\nAbout David Faraone:\n\nDavid is a senior director at Unit 42, leading the North America East Region Consulting Team. He is a highly accomplished cybersecurity consultant with deep expertise serving large organizations in areas such as CISO advisory support, cloud security strategy, network security architecture and design, and Internet of Things security.