Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Enrique, how do you avoid the CEO or other executives becoming uncomfortable with the CISO approaching the board?"
First of all, the board is probably going to seek out the CISO. What I tend to do given the kind of role I usually play on most of the public boards is to make sure everybody knows I'm going to talk to the CISO directly one-on-one outside of the board. I want to have that relationship. Most of my CEOs, once I talk to them about it, respond with "Of course, please do."
The key is your goal. When a CISO talks to the board, what he/she can say to them is, "I'm trying to raise security awareness. My goal is to raise the awareness of the board and the company around their role in security." When talking to the board, try to help them understand what they can do to support all of us in making the security profile of the company better.
Unfortunately, some people are going to be a bit insecure. You can't let that deter you from getting the help you need. What I don't want to happen is that that communication isn't there, and then something happens and the board asks, "Why didn't you tell me? Why didn't you talk to me? Why didn't you talk to us about this concern you had?" That's a situation you never want to be in.
The board is always going to ask you, "When did you suspect...". If an incident does happen, they are going to say, "When did you start worrying about this? What was the first time you felt like there was an issue?" You never want to be on your back foot. It's not anything other than just being transparent. Boards want to know. They want to know the things they can spend some time thinking about where they can be helpful.
I go to many discussions in not just security, but across all the functions. I’m on three Fortune 500 boards, probably six or seven public companies, and then probably another dozen private companies. In the discussions, the board wants to hear what's going on and not some sugar-coated version. It doesn't mean they want to hear a bunch of complaining. What they want to hear is just transparency, authentic, intellectually, honest discussion about what's going on. I encourage not only just security, but all functions to take the approach of letting the board know what is going on.
With all of the things happening in cybersecurity, my sense is that the level of understanding at the board level has been maturing as well. Years ago, if you went to the board, presenting a scenario and an exercise that was just completed, talking about all of the things that could fall apart, you would risk presenting a stark and dark picture that scared the board.
Nowadays it's different. The board has a level of understanding that security is not about being perfect, it is not about covering everything. It is about seeing and understanding where the risk is and picking the right battles and the right priorities to reduce that.
The board wants you to succeed, we're all on the same team! It's not an adversarial relationship. More than anything else, the board has a responsibility to shareholders, they want the company to be successful. They want the people in the company to be successful, and they want to help. The best teams engage the board in a constructive dialogue about what's working, what's not working, what we can collectively do to improve the company.
The objective is not to show them how smart you are. That's not really the goal here. It's about them having confidence that you're on top of the right issues, that you're focused on the things that matter, that they can expect you to be transparent. That's what we're all looking for. It's not an adversarial relationship, it's a collaborative, let's win together relationship.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.
Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.
As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).
To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.