English writer Nicholas Evans authored best seller, “The Horse Whisperer,” in 1995. The book became a movie directed by Robert Redford who also starred in it along with British actress Kristin Scott Thomas and Scarlet Johansson. As I recall, the movie lasted longer than some Hollywood marriages. But it had its moments. As the name suggests, the story revolves around the ability of Redford’s character to speak to horses. His modus operandi involved learning how horses think and what they need. A similar approach would serve CIOs and CISOs well as they communicate with chief executives and corporate boards.

Writing in SC magazine, Feris Rifai, CEO and co-founder of Bay Dynamics, a provider of cybersecurity risk analytics, provocatively suggests that IT and security executives need to learn to “Speak the board’s language or get fired.”  Rifai asserts that many CISOs engage in a relatively pro forma exercise when reporting data, perhaps unintentionally assuring that the board does not really understand the company’s cyber risk posture. He suggests CISOs provide data with context. “For example, if they spotted a vulnerability with an associated threat to a treasured asset and therefore elevated the company’s level of risk, they should be able to show where the data came from, when it was collected, who was informed at the time, what steps were put in place to remediate it and what the company should do as a whole to prevent it in the future.”

So, how should one whisper to a corporate board? Commenting on a recent survey of corporate boards conducted by Veracode and the New York Stock Exchange, Chris Wysopal, CTO and CISO at Veracode recently said, “Boards want the CISO to give them risk metrics and peer benchmarking. They want to know how they’re doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity.”

Additional advice was offered by Microsoft CISO Bert Arsenault at the annual RSA Conference in San Francisco. “Be prepared for things the board wants to talk about including, do you have everything you need – “and the answer better be ‘yes,’ or ‘I do, but here’s the things I see coming,” just to make them aware…. Other likely questions include describe the overall security plan and how it will be exercised. More enlightened boards will also want to know about staff security education, and ask about the security culture.

It really doesn’t take extraordinary skills to become an effective board whisperer. It does require understanding both what your audience wants, and what they need. You have to respond to the want, and be sure they understand the “need.”

By Tom Davis, SDI Cyber Risk Practice

May 3, 2016