CISO Success Story: How to Build Trust With the Board? Don't Talk Cybersecurity (Much)

With digital threats coming from all directions, modern cybersecurity chiefs generally know that no matter what they do, an attack will ultimately succeed.

And they’ll have to explain why.

For Dr. Dennis Leber (at right), who oversees cybersecurity at Honest Medical Group, a value-based healthcare startup with headquarters in Nashville, it’s critical to forge close partnerships with the C-suite and board of directors. Nurturing such relationships goes a long way to securing a CISO’s position in a company and a company’s position in any given industry. It also fuels the kind of strategic collaboration that experts now deem indispensable when it comes to limiting the risk of such cyberattacks and the pain associated with them after they occur.

LAST CHANCE: Join thousands of global IT and security experts – in person or online – for keynotes, breakout sessions, labs, and certifications. TANIUM CONVERGE 2023, Nov. 13 – 16

Regularly named to lists of top security leaders, Leber says today’s CISOs can no longer afford to drive cybersecurity strategies in isolation. He argues that business success and safety require deep and ongoing communication and strategic collaboration.

That echoes a Gartner survey that found 67% of the best CISOs define risk appetite through work with senior business decision-makers. Only 28% of bottom performers do so.

Focal Point caught up with Leber to explore how he approaches working with – and reporting to – senior leaders and board members. Here’s what he had to say:

[This interview has been edited for clarity and length.]

How do you create a trusted relationship with the business side of the house?

I start building that trust from the very moment I join an organization. When I’m doing that, I hardly talk about cybersecurity. Instead, I listen to what my business partners are complaining about, what they’re trying to accomplish, and what they need. Then I develop cybersecurity programs in the background that align to what they’ve communicated.

For example, at a higher education organization, I worked with a department that aired frustrations with previous practices that limited and hindered their research. I developed a program that separated the research data environment from the clinical data and facilitated the work, removed shadow IT, and reduced risks.

Some CISOs struggle to get on the same page with business leaders. How is your approach different?

Well, first of all, I try to help the business understand that the cybersecurity office is here to enable and facilitate—and not be the “Office of No,” which it is in some organizations. And if our team does have to say no to something the business wants to do, we always offer alternatives for the same goals. It’s all about building trust and confidence with our business partners.

I also prioritize the need to be a translator. I definitely want to address risk, vulnerability management, patch management, and secure architecture. But you don’t establish common ground with business leaders that way. So, instead of trying to teach them the language of cybersecurity, I learn the language of the business and then translate that back to my team.

When you do that and understand the objectives of the business, your metrics tend to fall in line because you suddenly have something relevant to measure. Cybersecurity must be where decisions are being made. Once you are in that group, you understand the objectives of the business and you then align the program to those objectives and define the metrics to the business around the same goals – for example, how developing a secure enrollment system contributes to a goal of increasing student enrollment by a defined percentage.

What kinds of things do you measure for reporting purposes?

It depends. When we’re deploying a new solution, for example, we might want to track what breaches we’ve had, how the solution is working, the kinds of attacks we’re seeing, and whether we have the right remediation and alerts in place to address incoming threats. We would also track user satisfaction, as well as how often our employees see social engineering scams.

[Read also: Worker distraction is on the rise, which lowers the chance that they’ll spot scams – digital employee experience (DEX) platforms can help]

We know from recent examples – like the September MGM Resorts ransomware attack – that it only takes one 10-minute phone call to disrupt an entire business, so it’s important to keep an eye on that.

Most organizations have cybersecurity awareness programs to help thwart phishing and vishing attacks. What does yours look like?

You can have all the tools, monitoring, alerting, and benchmarks in the world, but it’s just as important to pay attention to the human factor: your employees. So, we do what I call “SPAR Training,” which I borrowed from boxing and martial arts. It stands for security preparedness and response, and it’s a little different.

Most corporate cybersecurity training, in my experience, is boring…. We do “SPAR Training,” which I borrowed from boxing and martial arts.

Most corporate cybersecurity training, in my experience, is boring and repetitive. A lot of it is designed to meet legal requirements . . . to show that a company did its due diligence if an incident lands it in court.

For that reason, a lot of security awareness training programs operate on fear or punishment. SPAR Training instead focuses on educating employees about threat possibilities so they can confidently respond, without fear of reprisal, when they come across them.

The vast majority of CISOs report to the board at least once a year. Any tips for doing that effectively?

Sure. Anyone who’s spoken to a board knows you have maybe five minutes, tops. So, it’s got to be a real quick, down-and-dirty presentation.

[Read also: CISOs and boards must learn to communicate, and former national cybersecurity commissioner and seasoned board director Maggie Wilderotter knows how they should do it]

At Honest Medical Group, I talk in terms of how my program is protecting our company but also cover how it’s providing cybersecurity assurances to our customers. Then I will talk about the efforts we’ve made to enable that, where gaps still exist, what I’m able to do about them, and where I need support or budgetary decisions.

Any final pieces of advice for your cybersecurity peers?

Yes: Continue to learn; never stop learning and adapting. We often get caught up in what’s needed right now as opposed to looking at the big picture. There’s a lot of ad hoc work, and you need to get away from that and look at what’s coming. What prepares you for three, four, or five years from now.

AI [artificial intelligence] and ChatGPT took off seemingly overnight, and many organizations are just now trying to figure out the cybersecurity implications of that. Similarly, quantum computing could be here as early as 2025, and we need to be ready for that, too.

My advice is: Plan now. Don’t wait until it’s too late.

TO LEARN MORE

Check out other exclusive interviews with security leaders in our “Success Stories” series.

• CISO Success Story – Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula
• CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
• CIO Success Story – Looking At the Flip Side of Third-Party Risk
• CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring