Building an Effective Relationship with a Board
Colin Anderson, Chief Information Security Officer at Levi Strauss & Co sits down with Steve Moore to talk about interacting and building an effective relationship with an organization’s board, managing expectations and sharing narratives that resonate, the makeup of a board meeting, and the different personalities associated with it.
What the CISO & a Board Have in Common
The CISO and the board share something in common, which is to manage risk and make the business successful. However, the CISO has to earn the board's trust even when it's well established that he is the security subject matter expert.
Successful relationships must be nurtured, and this one is no different. Each board member comes to the table with a different point of view, background, expectations, and personality. Getting to know the board and how to best communicate with them is one of the CISO's top priorities.
Advice to a Younger Self
The first rule is to know your board, because every board is different. Some are savvy & cyber aware while others have little technology & security exposure. You need to do your homework to better understand your board members' areas of expertise and experience. You want to know if any of them have had a security incidence or breach in the past, and if they have a deep understanding of security.
Another important question to ask yourself is whether you know any security leaders that have worked with some of your board members.
It's also important to know your narrative; what's the plan for your security function, how do you measure progress, and how best do you communicate and earn the trust and support from that board? I've seen a lot of leaders present in front of board committees and the most common mistake I see is the presenter not being prepared for that board audience. The presenter knows his stuff but he fails in communicating it in a way that earns the board's trust & confidence.
That story-telling skill is very important because your board is going to remember the narrative you tell them. They may resonate with the statistics you put in front of them temporarily, but a few months down the road they're not going to remember the numbers. They will remember the narrative you gave, that example you crafted to emphasize the point you wanted to put across.
The Different Types of Boards
There are different types of boards, where some are security savvy while others are not. Generally, they don't care, they have an IT background, or they don't. But a day of reckoning is here for them. They need to figure out and no longer be ignorant to these issues or be dismissive of them. They should know what the security department, and especially what the CISO, does.
However, the security topic with boards is relatively new and still in its infancy. They don't really know how to measure whether that security program or security leader is being effective. The NACD (National Association of Corporate Directors) has put out some pretty prescriptive guidance for boards on how to effectively manage security risk. This helps educate the board and also helps the security leader know how the board will be measuring them.
Presenting to a Board
Earning your board's trust is the most important thing you can do for your long-term success as a CISO. Educate them & build that partnership where you both work to manage risk to the business and enable it succeed.
The other board members bring skills and experience you don't possess, and you have skills and information they likely do not possess. They're looking at you as a subject matter expert on security to help them make more informed business decisions. So if a situation is bad & there's a problem, don't be afraid to put that concerning information to your board. Don't be afraid to say that you don't have all the answers. Tell them what you're doing or what you’re not going to do & why. In reality you have to make some hard choices. And that transparency gives credibility to your message and plans.
The board is relying on you based on what you think is critical or important because they may not have all the background information. Your assessment of the situation carries a lot more weight with the board.
Bringing in a 3rd Party to a Board Meeting
A 3rd party can be brought in to emphasize a specific plan or concern you have. That extra voice can carry a lot of weight in some boards. The board may also bring in a 3rd party like an audit person to ask questions or give more insight on a given topic.
If another CISO is to be brought in, he needs to bring more than just the security skillset to a board to be an effective board member.
The Toughest Board Member Ever Presented to
There was a telecommunications executive who had previously experienced a major security breach. He was new to the specific retail company in question and so he didn't have a really big understanding of the business. Also, he didn't fully understand that the business risk and often adversaries were quite different between retail and telecommunication companies.
He was incredibly concerned that something similar could happen at the new organization he was joining as a board member. This challenge was not solved in one meeting. It took Anderson 3-6 months of talking to this individual member. He worked on educating him on the new business, what was different and what was similar. The board member came in very concerned because of the event he had experienced. So he was not very trusting.
Getting the executive on board involved conversations in and out of the boardroom. Sometimes it was one-on-one and at other times the general counsel was present. Anderson educated him about the business, how he viewed risk and the risks he was most concerned about, and what they were doing to manage those risks. The executive brought up questions about what happened at the previous telecommunications company & Anderson would share his perspectives on how he would handle a similar situation. Over time trust was built & he appreciated that Anderson understood where he came from.
Building Effective Relationships
To build an effective relationship, you want to learn about the business at hand & how you can help them. What are they doing & how can you help? Focus on how you can be more effective for them. Security is often a support function & the business leaders are the ones generating business revenue for the organization. And as a CISO you are there to help them succeed. If you can build that beneficial relationship, then it's a win-win.
Sometimes in a board meeting you may be asked questions that are not in your specific area of expertise. It may be advisable to avoid such questions. There are also some metrics you would avoid with the board. Anderson likes to present metrics that tell a story or trend, metrics that can be used to make important decisions. This is because they are relevant & more aligned to the business & the board will care about them. Use metrics to emphasize specific decisions you're making.
One good piece of advice is to try to think & plan through the questions you're likely to get from the board based on the content you're presenting. This will lead to more success with the board.
Also, if you’re short of time to make a presentation, it's good to send your content about 1 week in advance. This way you go in with the expectation that they've read it & you can focus on a few things on the presentation. But if you're really cut to very few minutes, just hit the most important points and adjust your presentation accordingly.
Anderson’s Take on Working in Levi Strauss & Co
Levi Strauss & Co is an amazing company that attracts people that believe in a mission. The company believes in doing right. It supports the community and embraces diversity & inclusion. It believes in giving back & on philanthropy. It's a wonderful place to work.
Resources:
Exabeam - Website
Steve Moore - LinkedIn
Colin Anderson - LinkedIn
NACD - Website