Imagine you are the CISO and have been requested to present to your board.
What is your topic? Moreover, what do you want to include or not include in such a presentation?
In a recent conversation, I was asked that question. Specifically, ‘what are the top threats that you would present to your board?’
This is actually two questions.
- What are your top threats?
- Would you present ‘threats’ to your board?
I have to say that I failed here. Because my answer to #2 was ‘no’, I pivoted on #1 to what I would present. Let me explain.
Question #2 represents a philosophy that operational metrics convey a level of risk that is important to understand. I think of this as going to my doctor and helping them analyze my blood work report.
I’m heavily invested in the result, but need the doctor to read the data and come back with a game plan.
Now this is not entirely a fair analogy in that I geek out on my health data, having even charted my A1C versus different drug regimes in order to measure overall outcomes. I love nothing more than digging into my glucose monitor data which takes a new reading every 5 minutes to see how food affects my performance. But, getting back to the analogy, this isn’t the normal behavior.
If I’m presenting raw data, lets say vulnerability and patch data, to an executive, it must be in support of a decision I’m asking them to make. After all, it may be the data I rely on to make good decisions, but I can’t expect people outside our field to interpret it in a meaningful way.
So, when I answered the question above, I pivoted to risk and strategy. These are the domains that are more natural for a board member to be interested in and for me to present as a CISO.
However, that was not the right answer.
In this case, there was a more valuable lesson in the question. When it was asked, there was a merging of the two questions into one – ‘what are the top threats that you would present to the board?’
As a leader, it is important for me to listen and be able to understand the context of what someone is trying to communicate. In this case, rather than answer straightaway, it would have been more appropriate to ask if the two questions I thought were there were in fact correct – and to talk about them individually if appropriate.
Not doing this caused assumptions on my part that I either understood the context of the question, or assumed an answer for one or the other and just focused on what was more accessible. This ‘spin’ is something we too often see and prevents us from building a common understanding when assumptions are wrong or differences are unexplored.
It reminds me of the dichotomy we all face as leaders. If we come to our position as practitioners but also serve as strategists, taking a moment in time to respect both roles is critical to the success of our mission.
Don’t be pressured into the familiar or quick response when presented with a question. Your twitch reflexes favor what is top of mind, but may miss the underlying opportunity. Take a moment to understand it and consider how your action will move the team forward. As a leader, your role is to balance these different voices, those in your head and out, to arrive at the best result.
About the Author
Bill Weber is a Virtual CISO and Entrepreneur located in the United States. He works with clients wanting to better understand risk and create meaningful advantages for their organizations by tackling them creating real long term stability.
You can find his company at cyberfoundry.io.
Comment on LinkedIn