May 31, 2024

Board Member Archetypes: A Guide for CISOs

Yael Nagler
author
Chris Veltsos
co-author

Related materials:

Explaining to Executives

Is Your Team Too Big?

 

What do you think?

Find us on LinkedIn

##board##board-relations#Ciso#ciso-mindmap#cybersecurity#executive-coaching#information-security#leadership#office-of-the-chief-information-security-officer#office-of-the-ciso#yass

There’s a disconnect. Many resources focus on “what” CISOs should present to their boards, yet CISOs continue to seek guidance on improving their engagement with Board Members. Indicating the need to better understand the board members. 

This article tackles the “who” and “how” of board interactions. Below, we’ll introduce six common Board Member archetypes that CISOs interact with.  We’ll explore the challenge each presents and suggest initial steps for successful engagement.

 

1. The Knowledgeable Technologist

This Board Member has a strong background in technology and a deep understanding of technical concepts.

 

Challenge for CISOs: Identify the differential in technical understanding and the priorities of the technical Board Member based on their domain expertise to establish credibility and foster a productive relationship. 

 

🎯 Approach Strategies

  • Knowledge Mapping: Determine the technological expertise of the Board Member by understanding the various responsibilities that they’ve previously had and challenges that they’ve solved. Determine what the Board Member knows and identify differences in domain knowledge. 
  • Mutual Understanding & Alignment: Ensure that both parties are on the same page regarding key technological issues.

 

2. The Headline Hoarder

The Headline Hoarder voraciously seeks and consumes the latest news and trends, often raising recent headlines during discussions. Headline Hoarders may jump to conclusions before having all the relevant facts or an accurate understanding of implications.

 

Challenge for CISOs: Discerning why certain headlines attract the Board Member’s attention and quickly contextualizing any headline to the cybersecurity posture of the company. Additionally, CISOs need to confirm that the Board Member has followed all (or at least the same) ‘chapters’ of the story. Rarely does any story start and end with a single article.

 

🎯 Approach Strategies

  • Investigate Their Interest: Understand what about the headlines intrigues them and why they think it matters to the company.
  • Engage with News: Regularly read and share relevant news to establish common ground and demonstrate shared interest.
  • Contextualize Information: Provide insights that relate the news to the company’s specific circumstances.

 

3. The Compliance Contemplator

The Compliance Contemplator is focused on ensuring that the organization meets all regulatory requirements and standards. Always. In all relevant and potential scenarios. 

 

Challenge for CISOs: Derive a shared threshold for the minimum standard of care to achieve adequate compliance. 

 

🎯 Approach Strategies

  • Evidence Review: Examine how other regulated parts of the business evidence their compliance status.
  • Compliant but Exposed: Communicate areas where compliance is achieved but technology risk remains. 
  • Scenario Review: Review specific examples of compliance deficiencies the company is willing to accept. (Using specific examples will reveal specific guidelines and avoid discussions of principle.)

 

4. The Eager Learner

The Eager Learner is genuinely interested in understanding cybersecurity issues. They may be interested academically or from a business perspective when asking questions. Lots of questions. 

 

Challenge for CISOs: Tailor explanations to their level of understanding. This sometimes requires filling in additional explanations to improve their comprehension. 

 

🎯 Approach Strategies

  • Proactively Offer: Separate from the committee update, offer to explain an overview of technologies and concepts shaping cybersecurity at this time. This may occur annually.
  • “From My Perspective”: This expression, when used as part of an explanation, invites questions and interaction by avoiding absolute speak. 
  • Industry Definitions: Follow up by sharing resources that explain concepts that were discussed and open a pathway for extended exploration. 

 

5. The Strategically Interested Partner

The Strategically Interested Partner wants to be involved in reviewing the direction of the program and the initiatives that will be prioritized to get there. They seek to contribute their experience.

 

Challenge for CISOs: Engage them in a way that activates their strategic interest while keeping them within the boundaries of their role as Board Member.

 

🎯 Approach Strategies

  • Communicate the Scaffolding: Rather than dive into the details of project roadmaps, communicate the strategy as a ladder (first this, then that) to discuss the overall direction at a level appropriate for a Board Member. 
  • Extend Your Horizon: Engage them in discussions about long-term goals and challenges without delving into operational details. Rather than review the 12-month plan, invite a strategic discussion that intellectually considers trends and future predictions to inform your near-term plans.

 

6. The Committee Chair

The Chair is responsible for the effective governance of the Committee or of the Board. To do this they must coordinate the skills of all Board Members. Each committee has a chair. The Chair sets the agenda and manages the committee. No matter what. 

 

Challenge for CISOs: Understanding that the Chair sets the tone for the Board, it’s necessary to align with their priorities and preferred engagement style. The relationship with the Committee Chair, sets the tone for the CISOs success with the overall Board. 

 

🎯 Remember

  • Respect for the Chair: The members of the committee defer to and respect the role and tone set by the Chair.  Invest in building a positive relationship with the Chair. 
  • Professionalism, Always: How the CISO interacts and engages with the Chair before, during, and after the meeting will directly contribute to how they guide the committee to engage with you. 

 

Notes and Disclaimers

Others may offer different archetypes of Board Members that CISOs may face—they’ll be right. A few additional considerations about the various Board Member personas:

  • No list of personas is complete. The purpose of assembling a list is to start to recognize patterns, rapidly. For security leaders, the reason to recognize patterns in board profiles is to drive better engagement. 
  • Each Board Member may present more than one of these personas. Such primary and secondary personas may change over time.
  • Personas don’t always follow the person. Instead, a Board Member’s primary persona might change as the mix of each board varies.
  • What you observe is someone’s persona on THIS board. The same Board Member may take on a different persona on another board.

 

Final Thoughts

Understanding Board Member personas is a key strategy to aid the CISO in engaging more effectively. More than any other stakeholder that the CISO interacts with, the Board member has equally as much to lose as the CISO for the quality of a company’s cybersecurity posture. Improving the CISO relationship with their Board Members starts by approaching them first as people (people who have a lot to lose), then with the shared goal of protecting the company’s assets.

Board Member Archetypes: A Guide for CISOs
This site uses cookies and may process personal data based on our Privacy Policy
Read privacy policy Ok!
Verified by MonsterInsights