How do you report your security culture progress to the board?

With an increasing number of organizations implementing security culture programs with the aim of managing human factor risks, Praxis Security Labs have noticed that senior management and the board of directors are increasingly more engaged in security culture. This engagement is crucial to the success of a human centric security program.

People follow other people. If employees are asked to complete a security related behavior, but observe that the management does not seem to care, not only are they less likely to engage in the security activities, they may even actively sabotage them (Petrič and Roer, 2022). This is why actively engaged Board members and a senior management that champion cybersecurity are key to success. 

Partnering with the senior management and the board of directors often means regularly reporting the current security standing. The reporting will often include progress and updates on the goals. The challenge for many CISOs can be that these reports need to be short and to-the-point. No fluff, no distraction, and using words and terms that are more business related than technology related. This becomes even more important when it comes to reporting on human factors of security, as many executives instinctively feel that culture and human factors can be soft and fluffy.

Turning up the relevancy 

Reporting on security can be a challenging task, particularly influenced by expert bias (see my previous post, “Conquer expert bias in cybersecurity with next level focus”). A second challenge is that security is a rather complex topic, and it can be difficult to choose both the right information to feed up the chain and how to present it in a way that resonates with the executives and the board of directors. 

Instead of reporting on technology and details that may be relevant to you, seek to make the reports relevant to them. To help you get to a place where you are reporting both what is of interest and relevant to your decision makers when you create your security reports, here are some questions you can ask yourself:

• How much time will I have to present this? 5 minutes? 15 minutes? An hour? 
• How often do you report to the executives and the board of directors? 
• How do the executives and the board of directors use the reports you provide? 
• What is strategically important information in my report? How does it align with previous requests and questions / directions from the executives / board of directors? 
• How does my report align with business goals and objectives? Do I connect the dots between the business goals and objectives and the security topics I report on? 
• What are the topics being raised by the board of directors and the executive team? What are the common threads? What are new requests? 
• Who on the board of directors is taking a stance for security? Is there someone who understands security? Who can you recruit as an ally on the board? 
• What particular topics and areas of interests do each of the board members have? How do their areas of expertise align with each other, and with security? Use this knowledge to adjust your communication with each member of the board, and relate security concepts and concerns to something in their field of expertise that they can relate to. 

Now that you have a base for crafting your report, your next big step is to apply this information to your report. This can be done in the following steps: 

1. First, add everything you want to report on to your draft. At this point, more is more, so do not hold back just yet. 
2. The second step is to take the information from the previous step, map each piece of information to specific areas of interest and focus on each of the board members. This task is to make sure that at least one person on the board can relate to the specific piece of information. Not everyone needs to get it, as long as one person can relate. Repeating the process for each board member will allow you to communicate your core information in such a way that that every board member will be able relate to at least one piece of information, thus allowing the board to discuss and decide on what to do with the information. 
3. In the third step, you review the information from step one and step two with the aim of ensuring that the important, core part of the information you report on is included. If you discover that some information you deem important is not in the report, you go back to step two and decide how to relate the information to one or more board members. You may have to replace some other information you previously included at this step. 
4. In the fourth step, you ensure that the information you need to report fits into the time allotted for your report. Everything you cannot get into your presentation should be moved to a written report, where you make sure that the information is conveyed in such a way that the information relates to each of the board members, as per step two above. 
5. Finally, present your report, leaving plenty of room for questions and clarifications. A good tip is to prepare one or two questions that are relevant, and that you want your board to ask, in case they do not have any questions. By priming them with relevant questions to ask you, you also train them for future interactions. 
6. If you are given time, make sure to take this opportunity to ask the board about their opinions and directions for the securing of the company. 

This approach may seem like a lot of work - and it is. The value in the process is to ensure that you are relevant, so that the board of directors get access to what they need while not being bogged down with minute and irrelevant details. As a bonus, this kind of exercise will also help you to prepare any presentation and report to any audience because the steps are very much the same. Preparing your communication to resonate with the audience is very powerful, and the most effective way to help drive the change that a security culture program is. 

At Praxis Security Labs, we develop technology for managing human factors risk and it includes reporting progress throughout. These reports are both operational and executive - making it easy to monitor progress and communicate with all stakeholders at each step of the process. Book a call with a Praxis specialist to learn more!