How to Bridge Business and Cybersecurity as a CISO

You’re not a CISO, you’re an imposter! That’s what one board director jokingly told me after my panel discussion this week with Christopher Hetner, Thomas Etheridge, and John Frazzini. He was surprised I didn’t speak in “1s and 0s” or talk about technical controls. Instead, I focused on the business and how boardroom discussions on cyber should feel like a natural extension of the board’s business agenda. Many CISOs aspire to earn a seat in the boardroom as a director—this was a hot topic in one of the NACD sessions on Monday. My suggestion: don’t think of yourself as a CISO looking to become a board member; instead, learn to think and communicate like a board member—i.e., “become” a board member who happens to have CISO experience. In the Army, I was a Soldier and warfighter first--my cybersecurity position was secondary. In the boardroom, you are a board member first—specific expertise and focus are secondary. Earning certifications such as NACD.DC and QTE are great, but just like in cybersecurity, earning the CISSP does not make you a CISO. - Study business and macro industry trends. - Understand business risks beyond cyber risks. - Learn to read financial statements. - Have a view on GTM strategy. - Understand complex issues related to M&A and international operations (beyond cyber due diligence). Thank you to all of the board members who approached me after Monday’s panel discussion. I deeply and humbly appreciate the feedback and discussion. #ciso #directorship

Most CISOs don’t have a technology problem. They have a translation problem. When I first started my CISO role, the role reported to Risk Management. Prior to this role, the language I used was pure tech. However, in the new role, tech was Greek to my management and the CEOs I worked with. It was October 2007, three months into the job, when I was invited to the General Managers Meeting (GMM) to present the cybersecurity strategy. The boardroom was packed with 20+ GMs and AGMs, and I was ready to present my ISO 27001-inspired Information Security strategy. I had delivered similar strategy sessions in my previous role, mostly to tech leaders, and they were well received by those audiences. However, my message got lost during this session. Not because they were wrong, but because I didn’t speak their language. I learned CISOs are often forced to speak two languages: * The technical truth * The business story And guess which one wins in the boardroom? My Takeaway: Your success as a CISO isn’t just about securing systems; it’s about securing buy-in. That means learning to: * Frame risks as a business impact * Speak in outcomes, not alerts * Translate urgency into strategy If you’re a CISO, what’s the hardest part about getting buy-in from the top? Would love to hear how you bridge the gap.

🌟 Developing “Rizz” as a Cybersecurity Professional 🌟 I had funny conversations with my soon to be teenage son and his friends on the topic of “Rizz. It got me to thinking that many of us in cyber have no “rizz” which is why we struggle to translate cyber to non-technical business professionals. In the world of cybersecurity, having technical chops is essential, but it’s not the only thing that matters. To really make an impact, we need to develop some “rizz” – that special charm that helps us translate complex cybersecurity issues into business needs and get buy-in from leadership. Here’s how you can level up your game: 1. Speak Their Language 🗣️ Ditch the jargon. Explain how cybersecurity initiatives align with business goals. Use relatable analogies and real-world examples. 2. Build Relationships 🤝 Trust is key. Invest time in building genuine relationships with stakeholders. Understand their priorities and show them how you can help achieve them. 3. Show Value, Not Fear 💡 Avoid scare tactics. Instead, focus on the positive impact of good cybersecurity practices – like protecting the company’s reputation and ensuring business continuity. 4. Be a Storyteller 📚 Tell compelling stories about cybersecurity successes and lessons learned. Make it interesting and relatable, so your audience is engaged and understands the stakes. 5. Be Proactive 🚀 Don’t wait for issues to arise. Regularly update business leaders on potential risks and proactive measures. Show them you’re ahead of the game. Developing rizz isn’t about being slick – it’s about connecting, communicating effectively, and showing genuine value. Let’s make cybersecurity a business enabler, not just a necessity! #CyberSecurity #BusinessLeadership #CommunicationSkills #ProfessionalDevelopment #RizzInCybersecurity Would love to hear your thoughts and experiences on this! How do you translate technical details into business benefits?