Learn board security buy-in strategy from the NCSC for CISOs

October 8, 2024
1 min read


TLDR:

  • The NCSC provides guidelines for CISOs to communicate with the board effectively
  • Key points include using non-technical language, making risks tangible, and connecting with what is important to the board

In a recent article by The Stack, the National Cybersecurity Centre (NCSC) offered guidelines for CISOs to improve security buy-in from the board. The article highlights several key elements:

The NCSC emphasizes the importance of speaking in language executives will understand to avoid cybersecurity being seen as a necessary evil or cost-center. They advise using non-technical language, making risks tangible, and connecting with what is important to the board. CISOs are encouraged to own the problem and persist in explaining issues to the board.

Board meetings are not the best place for in-depth discussions, and CISOs are advised to develop contacts with board members outside regular meetings. CISOs should expect questions about the cyber security threat, benchmarking against other organizations, managing risks effectively, and incident and contingency plans. The article also suggests that CISOs should provide concrete, quantifiable risk assessments to resonate with leadership.

Overall, the NCSC guide serves as a starting point for CISOs to improve communication with the board, but customization is necessary for each organization’s unique risk profile and threat landscape. By focusing on clarity, conciseness, and a business-oriented approach, CISOs can effectively demonstrate the importance of cybersecurity initiatives to the board.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and