Board-Level Cybersecurity: Measuring and Communicating Risk to your Board

Join cybersecurity experts Anir Desai, Justin Graham, and Ashli Pfeiffer, along with Bryan Mitchell, former CISO of AutoZone, as they address one of the most critical challenges in cybersecurity leadership: communicating risk to Boards of Directors. Despite growing awareness of major cyberattacks, many board members and executives remain largely uneducated about the true risks their organizations face, often leading to underfunded security initiatives.

In this engaging session, the panel explores effective strategies to bridge the communication gap between technical and non-technical audiences, equipping CISOs and security leaders with actionable insights to drive better outcomes.

Key Takeaways:

• Common challenges and communication gaps between CISOs and executives
• Proven strategies to explain cybersecurity risks to non-technical Boards of Directors
• How to leverage internal and external experts for impactful communication
• If you’re looking to enhance your approach to risk communication and secure critical buy-in from leadership, this discussion is a must-watch.

Hey everyone, if you’re joining right now, we’re going to give it just a couple more seconds to allow others to get dialed in.

Welcome. Happy to have you here today. Get your coffee, get your tea, or whatever you need to get ready for this discussion. About one minute past the hour is when we will formally kick off.

Love to see those numbers growing, seeing people joining from all over decent lay your names, clients. Hi, for those that I know, others will introduce ourselves momentarily. Okay, we are officially one minute past that hour. Welcome everyone. Thank you for joining us. We are excited to share this conversation on a very important topic, which is communicating risk to your board of directors, any other non-technical executives, or any other names that you might have around that kind of Board of Directors level. We’re all aware, mainly aware, I think, at times, of the cyber security related headlines that are increasing in frequency and severity from the crash strike outage that happened last year, the tax on us, Treasury Department, and yet, despite the increasing urgency in protecting our business and assets, board of directors and CISOs and others often have trouble really aligning, getting on the same page. That’s why we’re here. If you as a cybersecurity leader, to feel like you’re struggling, you’re not alone. We have the research to prove, you’re not alone. So that’s why we’ve assembled this group. That’s our panel discussion today.

Hi everyone. It’s a quick start off with my own introduction. My name is Ashley Pfeiffer. I’m a managing director at Tevora in our information security and consulting practice, so I focus on SOC compliance as well as our InfoSec support, also known as GRC support. Additionally, I’m with I support and work in other compliance frameworks, and I am one of Tevora’s virtual CISOs, which partner with our clients to gap fill or enhance the CISO needs of any company. I’m thrilled to be the moderator for today’s discussion, and then also, I am based in sunny California, but I originally hail from Minnesota, so my heart and warm thoughts go out to everyone in the polar vortex right now. Let’s see a little more about Tevora before I hand it over to our panel members to introduce themselves. Tevora is a cyber security and compliance consulting firm based in California. As I mentioned, we are focused on supporting the chief information security officers. We work with a broad range of company types, industries and sizes, and we’ve assembled a few experts here today to tackle the topic of communication with boards and other executives, as I mentioned. But before we get started, let’s do a bit of introduction. So, I will hand it to the panel members to introduce themselves. Justin let’s start with you.

Yeah, sure. Justin Graham, I’ve been with them, or about four years, I’m a senior manager. I oversee the federal and healthcare practices so compliance related services, HIPAA, HITRUST, FedRAMP, CMMC, NIST, also, as it’s relevant to today’s discussion, I serve in a vCISO capacity, or a handful of clients in the healthcare vertical.

Perfect. Thanks Justin, and Brian.

Ashley, it’s great to be here and to participate with the team at Tevora. I’m Brian Mitchell, a chief information security officer for Group360 in Brentwood, Tennessee. And for context, Group360 we’re partnered with the largest hotel brands in the world, and we own and operate the only global marketplace for group travel with online capabilities to book rooms and meeting space in what’s roughly a $1 trillion annual industry. Formerly, I was the CISO for AutoZone Corporation as well as the Global Director of Security Operations for FedEx Corporation, and it’s great to be here.

Thank you, Brian. Okay, before I dive into our first set of questions, a little bit of housekeeping. Please know, if you have any questions for our panelists, you can enter them into the Q and A box. It should be kind of at the bottom of your screen, and we will do our best to respond. I’ll incorporate them into the questions as we go, or at the end, we’ll have a dedicated Q and A time. Throughout our talk, we’ll be also potentially asking a few poll questions. We’ll kind of just see how that flow goes. Really what we’re saying here is we want your input. This is meant to be a discussion and to involve you. So, post those questions, post those discussion ideas, and we’ll address them as we can. Okay, Brian, we’re going to start with you. Brian, tell us a little bit about your research. You mentioned that you’ve done some of that in this space. So, kick us off. Tell us about it.

Absolutely and so for context, the research that Ashley is referring to is my dissertation research project in support of an applied doctorate, which took the form of a qualitative needs assessment. My research sought to explore what board members truly understand about cyber security and the risks associated. Since boards or cyber can be a theory or ethereal in nature, I examine the topic through the lens of finance, since board members understand financial risk, call it a common language, I had the privilege of conducting interviews with industry experts on cyber risk who’ve participated on or worked alongside boards within the fortune 500 and a unique byproduct of this approach was that many participants also sat on the boards for private companies, particularly those that are private equity and venture capital backed. What really made this a powerful study are the people who agreed to participate, which included current and former board members who have experience on numerous risk and oversight committees, to include current and former CEOs, CFOs, CIOs and even CSOs.

Thank you, Brian, yeah, that’s interesting, it’s just so interesting to me. And so, with that, would you summarize to help everyone get a little more insight into what that research led to, could you summarize some of the key takeaways you uncovered. Absolutely

Doctoral research seeks to achieve what’s called saturation, which means getting the same answer consistently from all participants. And this probably surprised the audience, but the most immediate finding was that executive leaders generally lack a deep understanding of the financial impacts that cyber-attacks can pose, while not needing to be technical experts, board members do need to depend on reliable and credible sources of cybersecurity and risk information which in turn, enables communication, as you all know, In the absence of a grounded understanding of cyber risk, communicating and discussing risk at the board level is much more challenging. The findings, which should be published later this quarter, also delve into both contributing factors as well as possible solutions for appropriately bridging that knowledge gap.

Thank you. Okay, switching over to Justin, we’re going to kind of flip that, and instead of looking at the direction of communication from, let’s say, thesis to the board, looking at it in the other way. So, what is the purpose of the perspective of the board members and the value that they’re bringing to the conversation? Tactically, how really to talk about how to incorporate board feedback into the CISO role?

When you think of purpose perspective of board members, there really is a lot to break down here. I think you have to start with purpose, right governance, oversight board members are responsible for the overall governance and oversight of the organization, and they’re going to ensure that cyber security strategies align with the company’s really broader business objectives. Risk appetite, risk management is absolutely going to be a focus, right? The board is going to focus on understanding and mitigating risks, really, they can impact the organization’s financial health, reputation, operational continuity, even governance, oversight, risk management, right? These are going to be the three primary pillars, I guess I can call them the board’s purpose as it relates to cybersecurity. There’s going to be some others too, right? So, the board is going to provide strategic direction, ensuring the cybersecurity initiatives really strategically support the long-term business objectives of the organization. Stakeholder assurance. They’re going to aim to give assurance to stakeholders, right? Investors, customers, regulators, business partners, that the organization is taking appropriate measures to protect its valuable assets and data. Beyond all of this, not to get too deep, there’s also going to be new SEC requirements that are going to be on the radar, right? Describing the board’s oversight of risk relating to cybersecurity threats, management, management role in assessing and managing material risks right from cybersecurity threats. Specifically, don’t want to get too deep here, SEC requirements are going to come into that conversation so that really describes purpose and perspective from a board member. But as a CISO, there really is a lot of value to be provided by board members as well. Just basic resource allocation, right? Board members, they have a crucial role in improving budgets, allocating resources, right to support, the overall cybersecurity program from a value you have to think about, accountability. The board can hold executive teams accountable for implementing effective cybersecurity measures and achieving those desired outcomes. You’ve got to think of it too, from like, expertise and insight. A lot of boards, you’re going to see really some diverse expertise and insights right from various industries even, and that can all help mold and craft like and shape, a robust cyber security strategy. And then finally, like, from a from a CISO perspective, like that, support and advocacy, right? The board support can really help just elevate the importance of cybersecurity within the organization and really make it a strategic priority. You know, leading by example, right? Making sure you know they’re supporting the overall security strategy. And when you think about this interaction too, like Ashley was mentioned, you have to think about that feedback loop, right? Incorporating that board feedback, like specifically into the CISO role, building relationships, you’ve got to foster those are really strong relationships with the board members to build trust, primarily to make sure you have their ongoing support, building, regular communication channels, formal or informal. You have to have that trust. You have to have those open communication channels, and that’s really important for that overall feedback loop between the board and that CISO position. A couple other things you have to think about in that feedback loop to, metrics and reporting, as a C, so you really have to showcase that ROI. Like using very quantifiable metrics. And really like real world examples to illustrate the effectiveness of your cybersecurity program. And like using your metrics to really highlight the ROI, the security program is bringing to the organization, but yeah, actually, I think that should cover a lot of the feedback loop there. And again, I think maybe just to add on to that a bit. And this kind of goes back to, Brian’s research, and it’s really just aligning with business objectives, making sure that the cybersecurity initiatives are aligned, with those specific business objectives, and that’s all captured in that feedback loop.

Yeah, definitely. Justin, just a bit more from you there. Tell us about some of your CISO roles you played without naming any names. Of course, maybe if any of your experiences really relate to some of the specific challenges that you talked about, or the communication challenges that Brian referenced from his research. Give us a couple anonymized an example for that.

Yeah, I think, as I mentioned earlier, here at Tevora, I do operate in a vCISO capacity, or fractional CISO capacity. This is really geared more towards smaller or mid-market organizations, even startups, to some extent. And it’s very helpful, right? A lot of organizations just can’t afford to have a CISO in place. So, from a fractional standpoint, you can still have compliance initiatives really mature their security program, execute the security program some degree. It’s a unique set of challenges. I think, generally, we’ll come in and just establish a baseline, prioritize based on risk, report that up to either leadership or the board. So, a lot of a lot of similarities between the traditional CISO role in the fractional CISO. But I think just to highlight, some challenges communication, I think me and Brian are both going to echo that on this. So, no establishing these just regular communication channels, recurring touch point meetings. You have to really establish that trust, and you want to make yourself available for those board members to reach out. And to some degree, you have to kind of balance that as well, right? So, you don’t want to get hung up in a situation where there’s too much information coming downstream, right? So, I’m worried about this phishing attack and just really getting, getting caught up in the weeds and be and if you get to that degree communication could almost hurt you, but you’re still establishing that trust, right? And really, I think the goal that I’ve learned, as far as lessons learned, is being really proactive with communication versus reactive, right? So, as you know, in a CISO role, emerging threats, right? You need to be proactive in communicating these threats in real time, just so the board understands what these risks are, and really reporting back metrics, the reporting of that is key as well, right? Put the information in a format that’s easy to digest, I would say is a big key. You don’t want to get too deep on technical jargon, you know, craft it in a way that’s easy to digest and really shows value in the long run.

Yeah, thank you, Justin. I think that that makes a ton of sense. And I think I just saw a comment of someone really doubling down on the importance of what you’re talking about there in the comment Q and A section. Brian, we’ll switch back to you for a minute. We’ve acknowledged one of the key problems is communication, through your experience, why? Why is it so tough for CISOs to see out of Iowa some of the other executives. And then, of course, do not just bask in the problems, but maybe get offer us some solutions you found through your research as well.

Absolutely. I think Justin and I’ll find each other, probably reinforcing one another, one another’s comments. But, from my experience, which was also reinforced by my research project, it’s really the potential lack of knowledge and subsequent consequences that can affect organizational priorities, resource allocation and other capabilities and outcomes. Another interesting finding was that indicated that executive leaders with sufficient knowledge tend to build and support more resilient cyber posture of enables. That enables the business, really. There were some other interesting patterns that also emerged, many of which I didn’t really anticipate, that surfaced how board member dynamics, such as personal interests, beliefs, industry or even age, can have implications which affect how decisions are made. An example might be whether a board member or an Executive leader based on their background and experience. Do they view a security budget simply as a cost center versus maybe a business enable depending on that one dimension, a CISO strategy might need to be adjusted to highlight the opportunity that a solid cybersecurity program can, in fact, be a competitive advantage.

Got it? Yeah, that makes sense. Thank you. Brian. Justin, back to you, kind of on the other side of it. What are some of the impacts, or maybe we’ll say dangerous risks, you’ve experienced when boards do not understand the cybersecurity or risk in general,

There are a couple vectors here. I would say probably the one that stands out top of mind is really just inadequate resource allocation, right? Like without a clear understanding of what the cybersecurity risks are, your boards may under fund. These critical security initiatives, right? It’s an evolving landscape. And if there’s not a clear view of what those risks are, budget is a big thing. You have to have budget to stand up in the effective program. And those kind of go hand in hand. But beyond just that obvious example there. I think there are some real threats, so maybe, delayed response to threats, right? So, if the board doesn’t really grasp, I guess you can call it the urgency of cybersecurity threats, it may delay decision making right. Think of incidents. Incident Response, it can result in slower response times. That kind of snowballs into increasing the potential damage recovery costs. So, without that, understanding that delayed response could come into play as a potential threat there it kind of, you have to look at it through insider threats as well. Boards like might not understand like, what the real risk of insider threat may be, or overlook the importance of addressing insider threats.

As we all know, from a security practitioners, these insider threats can lead to significant data breaches, right, IP theft, stuff like that. So, I think those are a couple, like very specific areas or impacts or dangers might come in place when that situation comes up.

Yeah, thanks, Justin. And of course, to answer that, to not just highlight the dangers, but let’s give it some action. So, Justin, speaking to a lot of people on the call here, I’ll phrase it for me, but what can I do to help my board members? Or, you know, what can everyone on this call do to help their board members?

I mean, right out of the gate, and I’m sure Brian is going to double down on this as well, but you have to educate on cyber security fundamentals. Provide regular training sessions, workshops, to help board members understand, just like the basics, cyber security concepts, and not only cyber security concepts, the current threat landscape. Just kind of like to dive in there. Ransomware as a service is a thing now, right? And if you’re not proactively teaching these board members these critical concepts that might go off the radar. And again, it just builds a foundational knowledge and that enables informed decision making by the board, so that they really go together. Otherwise, you can help, just translate, the technical jargon. Don’t present highly technical information. So, think of things like, you know, very specific vulnerability, CVSS scores or whatever. They’re not going to understand that, right? You got to break it down, and you have to learn what that common language is, what that vocabulary needs to be. You might have some people on the board who understand some of this, but you’re going to have some people who don’t right. So you need to come up with a baseline really just establish, how you communicate these very technical concepts to the board, and it really helps the board members grasp the significance of cybersecurity issues without getting lost in like the technical details, whether or not they understand it or if it’s just too much information to digest. Another way you can help, regular updates and reporting, establish routines. We’re going to provide metrics, reports, trends, incident updates on a monthly basis, whatever that cadence is. But that needs to be routine. I feel like that’s been I’ve got the most traction with that. You get the most focus on that. And again, from a CISO point of view when you’re trying to establish what that ROI is, and you can show trends over time. Our program based on these metrics, you can see clearly, we’re going in the right direction. That’s the kind of information that boards are really going to want to have. Easy graphs to understand clear metrics, trends, even emerging threats.  You can really communicate that through those established regular updates and reporting. A lot of ways you can help board members, honestly, actually, even from risk assessments and risk management. Conducting regular risk assessments, don’t do this, once every three years and just remediate that over time, you’re going to lose interest. So regular risk assessments present the findings. There could be new threats identified in your risk management work, and these results really helps provide a clear picture of what the organization’s risk landscape looks like in real time. Not only that, you can really communicate and highlight your remediation plans. These are the steps we’re taking. And boards like to see the details of how we’re trying to reduce, our risk exposure over time and again. Just kind of piggyback off education, like when you think about incident response planning, disaster recovery planning, develop and share your incident response plans with the board members, because they do have a role in that. Make sure they understand what their role is in incident response. Make sure they understand what their role is in disaster recovery. It really just ensures that board members are prepared. And know, the role and event of the cybersecurity incident. We’ve done exercises where we do, I think I mentioned, ransomware before. Conducting a ransomware preparedness exercise. Let’s really flex out what our capabilities are like, how does our cyber insurance policy help do that. Do we have forensics? How are we going to deal with that, making sure that the board understands their responsibility in that response? So, if a major incident pops, it’s not new, right? They know what’s coming. And probably the last thing, actually, I would touch on, and it goes back to education, but, you know, board members can really help foster a culture of security, and that is huge for the CISO. It’s not security isn’t just something off the radar. We want to as a goal, as a CISO, really foster that culture of security, right? So, advocate for security first mindsets across the organization. Encourage board members, to lead by example. And it really promotes that overall culture, from top to bottom or cyber security is a priority at all levels. Doing that really helps enhance, I would say, the overall security posture of an organization when you have bought in, you know, from the top all the way to the bottom.

Yeah, thank you, Justin. And I’m going to bring in one of the questions we got here, because it relates to one detail you said in there. So, the question we got was, how often are you typically reporting to a board? And Justin, you mentioned kind of that monthly update. And I wanted to just, you know, from my experience, I see quarterly as a pretty standard frequency. But the real point I want to drive home here between what Justin said and from my experience is, it’s really about just establishing that regularity, that consistency, that dependency is communication. And so, this is going to depend on your company, your culture, your board, a lot of different factors. Whether it’s monthly or quarterly, I think we would all agree here that, no less than quarterly in frequency, having that communication with your board on that regular basis is really the key there in establishing that cadence. But then with that, I’m going to go over to Brian for our next question. Brian, from what you’ve seen out in your experience or in your research, what are some of the tactics that can improve communication from CISOs to their boards?

Well, actually, that definitively depends on the board and even how the executive leadership team interacts with the board. What I have found to be most important is establishing a common operating picture. And what I mean by that is, does the board, does executive leadership, does the security program, all view the threat landscape relatively similarly as well. As you know, the attack vectors and the things that are of the highest probability that might affect the organization. So, if you can align on that common operating picture, that’s the first major step to clear communication. Finding a common vernacular for communicating complex concepts can also be helpful. In previous roles, I’ve been well and in my current role, I’m blessed with industry terminology, or one former employer that loved military terminology that helped, to Justin’s point taking complex topics and breaking them down in a manner that we could all gain the same understanding. I’ve always tried to promote security as a business enabler, as opposed to a competitive advantage. Justin mentioned, return on investment, and how likely is it that an Executive leader or board member would disagree that security could be a competitive advantage or a business enabler. Justin touched on working to establish personal relationships with your board when possible. I found that to be very effective, as well as creating really indirect support for your security strategy. I found tremendous success in networking to the other CIOs and CISOs, of the companies where we share board members to create those relationships where something that a board member might vet with me or vent with them is met with positive reception, meaning, yes, we’re aware of that technology, we found it to be a great investment, and so creating those indirect layers of support. But in the end, it’s finding that creative way to create a breakthrough in what I call cyber risk cognition. And does the board, does the executive leadership team really understand that common operating picture?

Yeah, that makes sense. Thanks, Brian. And yeah folks on the line, if you have any questions or kind of follow up, you want to dive into any details on anything that Brian or Justin or myself said, although those guys are given much more content, please feel free to directly send those our way or through that Q and A option within the webinar. We’ve seen a couple roll in. Just want to encourage everyone to continue to send those through. Let’s see, another question, and Justin, I’m going to kind of kick this one back to you, pulling together different information that we have talked about here, from your experience, from Brian’s experience, Justin, as your role as a vCISO or fractional CISO, have you had the opportunity to utilize any of these tactics or approaches.

Oh, several. I think what Brian just went over is that information is so valuable. I think establishing trust, right? You have to establish trust that can be difficult, but you have to establish trust and really personal relationships with these board members if you want to be successful. I think Brian, you also touched on, creating indirect support for your security strategy. And I think one area I could highlight on that is you have to think that it’s not only just a board, like board of directions, you also have, internal audit committees, audit chairs, right? So having buy in, like, at multiple levels. You want the audit committees, that you need friends there. You need relationships there as well. And the more relationships you can establish, really, not only with the board, but some other audit committees that’s going to make your job of making sure that the security, cyber security program is operating, in a sufficient manner. It’s just going to help stand that up and be easier for you. I think those are two specific areas that Brian mentioned that I’ve been able to utilize,

Yeah, thank you. Okay, then Brian, one more of our prepped questions, and then we’ll get into the kind of growing list of the questions coming in from people here. Keep it coming. Love the questions I see. So, Brian, one of the conclusions or potential solutions that came from your research is about the role of experts, third party, etc. if you can dive into that, what are the situations where outside help can be productive for the CCN board?

Absolutely, you know, outside consultants can be very helpful in helping to establish that common operating picture that I was referring to, particularly with the board, you have to be creative in how you position it, whether it’s training awareness tabletop exercises or just some form of a threat intelligence brief that’s available for the board members. Now, there’s lots of different dimensions of the board that you’ve got to kind of consider when you position that. But even the research synthesized that bringing in a trusted or strategic partner to further drive education and awareness of the board level can be extremely effective in terms of maturing cyber risk cognition given an alignment to the security program as well as contextual awareness of the company or institution, and that’s why context matters in that in that communication, cyber risk cognition, in turn, can transform a security program or the company’s posture, given the potential for a top down cultural shift that executives can influence. And of course, Justin touched on that just a few minutes ago. This also highlights the buy in factor that security leaders need from their board to deliver successful strategies and programs.

Yeah, definitely. And Brian, one area you mentioned it, there a bit about training. I’m just going to ask you to expand a bit since we got a question on this. The question was about, should training really be a two-way street, especially at those firms? Well, really, terms of all sizes, because the CISO and the board members and executive members, you know, are trained to speak to each other at those various levels. So really, can you talk about, like, how training, a multi direction training should be considered.

Absolutely and so it is definitely multi directional, because as a security leader, my intent is to help the board understand common operating picture and threat landscape, but at the same time, I’m trying to detect or understand, from a board level perspective, what is the information that I need to bring back to them, and how do I need to present it for them to be able to perform their fiduciary duty? Justin touched on metrics, KPIs, dashboarding, how do you boil down something that is an inch deep and a mile wide into, say, a half a dozen to a dozen indicators of program? Health and performance to effectively then get that support and funding to drive the program forward. It is definitely bi directional, and really to a very large degree, the burden is on the CISO, or the security leader, to find the common vernacular, to find a creative way to drive education and awareness, getting them the contextualized information that they need to then be able to understand the information they need from you, how it needs to be packaged and communicated to effectively achieve an outcome of an optimized security program, and that board level support is extremely important to delivering an optimized outcome. So that’s a great question. It is definitely bidirectional.

Got it. Thank you. A couple questions we’ve had are about some of what I would call logistics of communication. I’m going to put a couple together here, and I’ll have each of you answer this. Justin, we’ll start with you. It’s about how much time you get with the board, and do you ever meet in person?

Yeah, that’s a great question, and I think it’s fluctuated over the years. Logistics always comes into play with that I do, at least with the work that I do, and as in a fractional CISO capacity, to have, in person type meetings at least once a year. And I think it really comes back to what kind of communication channel you’ve established. It’s a two-way street, right? So, what are the expectations you have to set expectations on this. I can’t, but really, the face to face, in person, meetings, board attending board meetings, doing your security report, out in person, like I feel that, that you just get a little more traction. You can really convey some topics, when you’re able to really see a room and see how people are interpreting some of this very technical information, and it’s a great way to gage the effectiveness of your communication. Just through, non-verbal communication, or people confused from a timing it’s going to be different organization to organization. I don’t think there’s just it depends on the size of the organization, how it’s structured. You really have to have that conversation and really have a deep understanding of what the expectations are. But I do feel like there are some strategic advantages for CISOs, or fractional CISOs, to have. You know that face time in person at least once a year, if not more frequently than that?

Yeah. Thanks Justin. Brian, from your experience, or maybe your research about what you’ve seen is most effective same question about time and in person?

I’m going to double down on what Justin shared in that I would even take the approach of in person as often as possible. I’ve had the privilege of interacting with Fortune 50 and Fortune 250 boards, and if you can establish those relationships and maybe even become a source of information, of trusted information for those board members, that’s the best spot to be in. I’ve welcomed every opportunity to meet in person, quarterly board meetings in person, to help facilitate that communication transfer. But you talk about sources of information, and that was one other thing that came out of the research. Where do board members source information from based on the experience of the participants, which were remarkable industry leaders. It typically tended to be independent research where they would go out and conduct a web search or catch a headline of something that happened, which in many cases could lead to significant efforts pulled up within a company because a simple question was asked by the board. And so having those relationships in place and facilitating communication as often as possible tend to redirect activities like that into a response that has tremendous context. But that’s kind of the that’s the art, so to speak, of what we do in terms of figuring out the vernacular, reading those trusted relationships, facilitating that communication as often as possible. And then back to the origin of the question, you know, capitalizing on every in-person opportunity to get as much mileage out of as possible.

Got it. Thank you. And I won’t repeat everything, because those two covered it, but I pretty much triple down on what they say. It gets them in person, if you can, to really get to know and understand what communication style your board has, and vice versa. And then, with that, we got another question, so we’ve talked a lot about being aligned on the same page as the board and the CISO and the board really needed to make sure they’re speaking the same language there. But this question is about other than that, what is the most salient thing you feel you can do as a security leader to ensure you’re navigating towards a maximum effectiveness in your organization? Justin, I’ll kick it to you to start with. But of course, then Brian, if you have any nuggets, and you’d like to add it, jump in as well.

Yeah, I think earlier in the conversation, I really identified the three pillars that the purpose of a board from governance oversight and risk management. I think you really have to focus on risk management, right? So when you’re thinking about, how do you maximize the effectiveness in your organization, you have to be very good at navigating risk, prioritizing risk, and in your overall security road maps providing the most value to the organization by prioritize high risk items up front and making sure that the boards understand, how much risk each of these objectives might have. Make sure they understand, why we’re doing something now versus six months from now. What kind of risk mitigation value you’re getting on that. I think when you’re looking at just as a security leader and having maximum effectiveness, it’s really focusing on what’s important, and that all comes from risk management and prioritizing risks appropriately, accurately, and tackling you know, the big items, the high-risk items, first in your overall road maps.

Yeah, actually, I’ll double down on what Justin said. It’s all about prioritization. But for me, the most foundational layer or element is your team. It’s building and sustaining your team, and it’s from that team that you’ll have those tactical and operational insights that can lead into a prioritized security strategy. I have been blessed with remarkable teams throughout my leadership history as a security practitioner, and so for me, the foundation begins with them, and they can then lead you into that effective prioritization that Justin’s talking about, because in the end, you can’t boil the ocean and you also can’t take 100 problems or opportunities to your board. You’ve got to wind that down to something manageable that you can then drive very strategic conversation around.

Definitely. Okay, thank you. Well, then I think is possibly our final and maybe one of our final questions, getting into some real-life scenarios with each of you, any interesting anecdotes, tidbits you’ve learned in your research or your work as you see so again, anonymize, of course, but any fun stories you can share,

I’ll take a stab at that first. I think I was having a recent conversation, as a fractional CISO, there’s a concept that compliance does not equal security, and I think that’s something that you have to really navigate. As a fractional CISO, or as a CISO, you have to have a keen awareness on truly identifying risk. So, for example, when you’re talking about compliance versus security, we don’t want to be in a position, unless there’s a significant organizational risk to achieve a Compliance Certification, adaptation, whatever, by a certain time threshold, we don’t want to just be checking boxes to meet compliance objectives. Oftentimes, that’s not good security. Really separating out compliance, versus security? Yes, if compliance is a big objective. You have to march towards that. But the degree in which you can implement a security control that goes above and beyond what a compliance requirement might take is very, crucial, and it’s something you just have to navigate, and you can’t lose sight on the difference between compliance goals and overall good security goals.

Yeah, and so I’ll double down on Oh, go ahead. Ashley, okay, well, I was going to say, Justin, you’re absolutely spot on. We all work to clarify the difference between compliance and security. But I thought what I’d share was probably, I don’t know if I’d call it the biggest aha moment of my research, but the one that I think surprised me the most, it was the dimension of interacting with board members that I expected the least. Actually, I’ll be honest and say it wasn’t even on my radar. But one of the participants in the research study, who is a remarkable contributor within the industry, highlighted age as a factor, and that’s something that I just had never really thought about in terms of interacting with board members, but the way that they did it was by saying or explaining how they interact with Fortune, 500 boards of which they sit on, but also some private boards. And the comment that they made, which was very insightful, it’s caused me to really think about this dimension of interaction was that this person, who is arguably 10 years, 15 years older than I am, mentioned that when they went into a board meeting on a publicly traded company that they sat on the board, audit or risk committee, they were one of the youngest people in the in the room. But conversely, when they then attended a board meeting for a private company that was venture capital or private equity, they were in fact, the oldest person in the room. And so that was just something surprising that I did not expect to surface out of the research, that that might be a dimension to also consider, because you’re talking about a depth this of understanding contemporary technology, or the decades of experience that would then form the personal beliefs or the ideas that that board member had, which then further reinforces common operating picture and finding a vernacular by which to discuss risk. That was probably the one that surprised me the most, and then to have that reinforced throughout other interviews with other industry experts. It was just one of the ones that I’ve spent more time thinking about.

Yeah, that makes sense. Okay. Well, with that, I think that’s a wrap for today. Thank you, Brian and Justin for being our panelists, and a big thanks to everyone who joined us live today. Please reach out if any questions pop into your mind later. To everyone, thank you again for joining, and we will see you at the next Tevora webinar.

Thank you, Ashley.