Editor’s note: The following is a guest article from Lucia Milică, global resident CISO at Proofpoint. You can read her past article about discussing ransomware with the board here.
CISOs finally have a seat at the table. Recent high-profile cyberattacks have forced C-suites to pay close attention to cybersecurity, elevating the role of the CISO. But this new rise to prominence doesn’t mean CISOs are exactly seeing eye-to-eye with their boards.
One reason behind this growing disconnect is the difference in perspectives: CISOs and board members often do not speak the same business language.
Just because boards are more aware of the rise in cyberattacks does not mean they understand how digital technology and cybersecurity translates into business risk.
To improve how you communicate with your board leaders, you must tell the story of cybersecurity vulnerabilities and risks in a way that resonates with them. The best way to achieve that is through the art of storytelling.
Humans have used the power of storytelling for centuries to build trust, convey meaning, help others relate and inspire action. From Aesop’s fables, myths and fairytales to narratives about modern leaders and iconic brands, stories have taken audiences across cultures and generations through the journeys of heroes, real and imagined.
A fundamental communication vehicle, storytelling precedes even the written word — dating back to cave paintings— yet is still remarkably relevant in today’s business world.
Neuroscience research shows that human brains are wired for stories, and certain story formats can even affect brain chemistry. The right narrative can evoke emotion, help process information, and change behaviors and attitudes.
These are all results you strive for when communicating with your organization’s leadership. But effective storytelling is much more than only sprinkling in a few good anecdotes — you have to do a good deal of homework before you can confidently speak in front of your board.
Create memorable analogies
Gaining an audience with your board is a task in itself. When you finally get there, it is tempting to keep the spotlight on your initiatives and achievements. This is a common mistake that will quickly alienate your audience.
Think of your board as the hero and approach your dialogue from a position of service. When you view yourself as a business enabler, it is much easier to reframe the conversation and show board leaders how you can help guide them through cybersecurity risks so they can achieve their business goals securely.
The first step is to understand what matters to the board and what currency their thinking revolves around, as currency is not always dollars.
For example, an energy company may measure risk in terms of oil barrels, while patient safety may be the “currency” for a healthcare organization.
Use the right framework to create memorable analogies and make your cybersecurity story relatable as you define your organization’s cybersecurity journey.
Preparing for your board conversation
A high-level understanding of the board’s frame of mind supplies an overall idea of the needed language, but you must dig deeper to connect at the individual level.
Three other steps will take you there:
- Researching board members’ backgrounds
- Learning their priorities and goals
- Gleaning added insights from “insiders”
The background research (e.g., viewing LinkedIn profiles and conducting a general online search) will help you know each board member a little better. You can learn details such as interests, passions and professional history, all of which could inspire fresh ideas for how your message would better resonate with that specific person.
Next, take the time to understand your organization’s business objectives and the board’s goals. Leverage public company resources available, but do not stop there.
Reading your company’s 10-K report, for instance, can tell you a lot about the story that the organization relays to its investors and the public, as well as help you figure out the board’s priorities.
Armed with that information, lean on your boss and other senior leaders in your internal network to gather first-hand impressions and insights about the board.
Ask for personal introductions to individuals who are especially passionate about technology or cybersecurity and may become your champion. Invite each of them to dinner, which offers an opportunity for informal conversation and questions about the board dynamics before you formally meet with the entire group.
Your executive team wants you to succeed — and when you look good, so does your boss and other superiors. Do not be afraid to use them as your sounding board and benefit from their personal, deep connections with the leaders you are trying to reach.
The executive team’s observations and perceptions are invaluable in helping you craft a powerful story.
Ultimately, your board members are like everybody else — storytelling helps them process information, relate to it, and act. It is your job to make sure you are telling the right story. And while storytelling is an art, mastering that art requires following tested techniques and doing the work.