Building a Relationship with the CISO

As corporate information-security functions mature, corporate directors must ask themselves how they can effectively communicate with the security executive. The individual occupying the position manages vast numbers of operational, reputational, and monetary risks. 

The development of a close and candid relationship between the board and the CISO is increasingly important for effective cyber-risk oversight. Accordingly, many board members now seek to establish an ongoing relationship with the CISO through full-board and committee meetings, but also outside the board room. This Tool offers guidance on how boards can more effectively establish a relationship with their organization’s CISO and security team.

At NACD’s inaugural global Cyber Summit in 2015, more than 200 directors from Fortune Global 500 companies and cybersecurity experts discussed the evolving role of the CISO, including the potential for this individual to serve as a critical source of information and insight for the board. As one director observed, “A strong cybersecurity program allows our business to compete and flourish. A CISO with the right skills can be a tremendous asset, including as an informed set of eyes and ears for directors, but at too many companies they are still viewed as tactical support for the CIO.” (Quotation is from a participant in the Global Cyber Summit, held April 15–16, 2015, in Washington, DC. Discussions were conducted under the Chatham House Rule.)

This Tool will provide a guide for directors to establish or enhance relationships with the CISO and security team. The questions and guidelines below can assist directors in establishing or enhancing a relationship with the CISO and, consequently, assist them in gaining a better understanding of the company’s overall approach to cybersecurity. Because not every question will have relevance for every company, directors should select those most appropriate to the issues and circumstances at hand.