I tweeted the other day in response to a blog post I read which seems to be an upward trend of information intended to help CISO’s disseminate information to their board of directors.
Good actionable information for sure but I feel the need to push the envelope a little and provide some unvarnished and unsolicited observations about boards.
Board members are silos to themselves – My experience has been that board members are generally smart, successful independent types. They are often wonderful resources for asking entrepreneurial questions and generally getting to know better, even if only to further your agenda. Rule of thumb: They generally like to talk about themselves, so let’em…
In many cases these individuals are highly competitive and often do not like other board members. Rule of thumb: Boards are at often AT LEAST as dysfunctional as the organizations they govern.
Some board members do not understand the business – Many times especially within smaller companies board members will be family members that have no clue what the business actually produces let alone how it operates. If they do talk to the CISO they may ask what kind of gun they carry. “You are security, right”..?
Don’t spend much time on these folks. Rule of thumb: Focus efforts on board members that can actually spell vulnerability.
Understand the CISO’s place – There might as well be a sucking sound that accompanies any CISO’s entrance to the boardroom. That sucking sound is the board’s top line revenue being sucked dry. Let’s be real. The board only cares about security insofar as it relates to the income statement, balance sheet or cash flow. Speaking to them on any other terms is wasting oxygen. Rule of thumb: To be a successful CISO you must relish being a cost center. Success is defined by sucking less…
The bottom line is that success in the boardroom is the same as success in life. Observation, seeking to understand, developing relationships, being strategically humble for tactical gain are all key.
Stuart Clark