Paul Connelly, a former Chief Information Security Officer (CISO) who has transitioned into roles as a board advisor, independent director, and mentor, believes that many CISOs are focusing too much on metrics when presenting to the board. According to Connelly, boards are seeking more strategic insights rather than detailed metrics such as the results of phishing tests.
In his advice to CISOs, Connelly emphasizes the importance of understanding the board members themselves. By reading their bios, understanding their backgrounds, and recognizing their fiduciary responsibilities, CISOs can tailor their presentations to address the specific concerns and priorities of the board. This approach allows CISOs to translate their metrics into meaningful risk and threat analysis for the business.
By developing a high-level narrative that is aligned with the organization’s overall business goals and supported by relevant measurements, CISOs can effectively communicate with the board. Connelly suggests that boards are more interested in hearing a cohesive story about the cybersecurity program and its impact on the business, rather than a laundry list of technical metrics related to cybersecurity threats.
Connelly’s approach highlights the importance of communicating effectively with the board, focusing on strategic insights and risk management rather than getting lost in the details of technical metrics. By understanding the priorities of the board and translating technical data into actionable insights, CISOs can ensure that their cybersecurity programs are aligned with the overall goals of the organization.
Overall, Connelly’s advice serves as a reminder for CISOs to think strategically and communicate effectively with the board in order to demonstrate the value of their cybersecurity programs in addressing the organization’s key risks and challenges.