MongoDB's chief of cyber security has said that those in CISO roles shouldn't be afraid to explain technical concepts in lay terms to other executives if it leads to greater understanding across the company's board.
Explaining the gravity of security events and related issues to executives and directors can be a difficult task given the amount of jargon in the field, but taking the time to communicate things clearly can prevent long-term problems in an organisation.
Speaking at Scot-Secure this week, Lena Smart, CISO at MongoDB, said that in her 12 years serving as a CISO, she has dealt with both highly technical and less-technical board members.
This, she said, is typical of many CISO experiences throughout a range of industries and requires senior security practitioners to tone down the use of technical jargon. But it’s an issue that still causes frequent problems and results in poor communication between executives and senior staff.
A recent study from Kaspersky and PwC found that 20% of business executives “prefer not to flag” their lack of understanding on security-related topics, while 43% reported feeling embarrassed revealing they don’t understand a topic and “don’t want to look ignorant in front of IT colleagues”.
In particular, the study found that 36% don’t ask additional questions in meetings because they don’t believe IT peers will be able to explain complex topics in a clear way.
This highlights a long-running disconnect between security staff and executives, and it’s an issue that Smart said needs to be addressed by security staff.
“Albert Einstein said the definition of genius is taking the complex and making it simple,” she told delegates at the conference. “The board expects you to be an expert in your field, your boss expects you to be an expert in your field.”
“So be comfortable with that expectation. Live up to it and don’t be afraid to give a distilled version of a topic. It’s easy to get into technical gibberish and use lots of acronyms, but one of my big rules it that there are no acronyms used for the board.”
Distilling topics down to plain terms language is a valuable skill for CISOs engaging with the board, Smart added.
In doing this, security personnel can contextualise often highly complex issues and deliver valuable insights into the acute cyber-related challenges organisations face.
A common stumbling block for security staff is overloading the board with information in an attempt to showcase their apparent expertise. This, she noted, does little to impress board members of their competency, and instead creates a fractured meeting environment.
“Talk about subjects you’re comfortable talking about,” she said. “I’m not a software developer, so I’m not going to talk about those things. I’m going to talk about things I’m comfortable with, such as keeping our customer data safe, the latest rules coming out of Europe, or Asia, or America.”
“Don’t try and show off and select a topic that is super technical. I was once asked to talk about cryptocurrency, but I’m not an expert on that. Just be honest, tell them you don’t know about a specific subject.”
Preparation tips for dealing with the board
Knowing your board and preparing for a meeting is essential for CISOs, Smart said. And while this may appear obvious, she said throughout her career she has witnessed several instances where individuals simply do not prepare adequately, or act unprofessionally in these high-pressure environments.
“Board time is very expensive. So, when I get that hour, I hit the ground running. I’m always very prepared. We use the AWS memo format, which is a statement of intent with an agenda, the top things we want to cover, and your addendums and diagrams. We send that to them a week in advance, our legal department sees it, the CEO sees it, and signs off on it,” she said.
Using this preparation method, Smart said it enables her to specifically target key points and avoid the dreaded information overload that boards and executives loathe.
Expecting the unexpected was also a key recommendation. Smart said CISOs should expect the board to “drill you on issues you know nothing about”.
This can be a common tactic to throw an individual off and establish whether they are being upfront and transparent on key issues, so senior security personnel should be wary of this.
“Be prepared for questions. I can’t say this often enough. It’s the same as when you go talk to your boss. They throw something at you that you’ve never even thought about, and you’re not expected to know the answer. Just be honest,” she said.
“I’ve seen people I thought had it together just fall into a puddle on the floor because they were asked a question, they made the answer up, the board knew they made the answer up and they didn’t have a job anymore.”
In these instances, Smart said some individuals tend to become highly defensive or manufacture facts. Remaining calm and being honest is the best approach in these circumstances.
“Don’t become defensive,” she insisted. “I’ve seen people be very defensive previously. The board didn’t attack him, so to speak, but said ‘we don’t think that’s right’ and they’ve lost the plot and walked out.”
Varied board engagement
Smart emphasised that this process is no one-size-fits-all approach. In her career, she has served as a CISO at the New York Power Authority, a fintech company, and now at MongoDB.
This, she noted, has given her a comprehensive insight into the varying technical capabilities boards command across a range of industries. As such, engaging with executives requires an understanding of their backgrounds.
CISOs should “try to find commonalities” with board members and cater their approach based on the unique challenges that specific organisation faces.
“As well as trying to find commonality in the room, before a meeting I would work out the main thing that’s going to keep these people up at night,” she explained. "So, for the power industry, that was kind of easy. At MongoDB, we’re a data developer platform. Our number one thing is keeping customer data safe. Data is property, it’s gold. It’s worth a lot of money and they expect us to keep their data secure."
“What you must be able to do once you know your audience is make sure that you’re describing your problem, or your programme in an elevator pitch-style format.”
