Cyber Storytelling: Communicating Risk to the Board and Beyond

Boards evaluate organizational risk through financial, strategic, and operational lenses. Translating cyber threats into business impact—rather than technical details—helps board members understand the real consequences and make informed decisions.

Boards want high-level clarity on who threat actors are, what they’re targeting, how likely incidents are, and the potential impact on brand reputation, P&L, and operations—not detailed IT specifications.

Using real-world ransomware cases, quantifying downtime costs, and mapping risks to specific business units or P&L areas helps boards understand how cyber incidents translate into financial and operational losses.

Modern cyber incidents affect every part of a digital business—from supply chain and customer experience to compliance and revenue. Communicating cyber risk as a business issue aligns leadership around shared responsibility.

CISOs should highlight current controls, incident response plans, recovery strategies, and identified gaps—all articulated in business language—to give the board confidence in the organization’s preparedness.

Please view video here for a time-stamped transcript

Hi, welcome to the Shift podcast.

I’m Melissa Hathaway and I’m joined here by my friends, John Zangardi and Shawn Henry.

And we’re here to talk about how do you communicate risks to the boardroom?

And we’re gonna talk about some very interesting cyber sticky stories.

Thank you so much for being here and I’m looking forward to this conversation.

What do the boards wanna hear in the boardroom?

What do they want from the CISO and to hear about the digital risks?

You know, anytime I think about talking to the board,

it always starts with risk at a high level.

I think the board many times hears that there’s a lot of issues.

They talk to friends at dinner.

They hear from other boards that they’re on that this is an issue, but they don’t
necessarily have the granular understanding and they don’t need the technical

understanding.

I think they just need to understand who are the actors, what is it that they’re
exploiting and most importantly, what is the impact?

And if they can get their arms around that,

then they can begin to understand how the company is better preparing itself, how the CISO
is really securing the enterprise to mitigate risk.

Board members know what risk is, whether they’re in the financial services sector or
they’ve been dealing with risk their entire lives, they’re professionals.

And if you give it to them in that term, it’s a great way to store it to level set and
provide a framework for which there can be much deeper conversations about how the

company’s getting better to secure the enterprise.

So I sit on a few boards and I think everything that Shawn just talked about makes
complete sense.

So the person who’s receiving it, what I really like is part of the audit and risk
committee that the CISO comes forward during that meeting and lays out the story as

Shawn’s talking about for the board to hear as part of that audit and risk committee
meeting.

It’s really important that he covers the risks.

He covers, hey, what is the probability of that?

bad thing happening and what’s the consequence, right?

In normal English business terms, does this affect our brand, our reputation, but also
talking through for the entire board how he might handle those things.

So generating an awareness for the board of the risks he’s dealing with in a language that
they understand because you can’t expect every board member to be an expert in IT.

right?

So there are some blind spots and I think it’s the role of the CISO to start illuminating
those blind spots.

sit on a few boards and I brief a lot of boards.

I always look at it as this is not an IT issue.

It’s an enterprise risk issue.

And we have to be thinking about this, that all businesses are digital businesses.

And how are we going, what is the health of the business today?

And thinking about those key business terms of:

How do you actually communicate what’s at risk from a PNL perspective?

And I think that a lot of our professionals in this field think about it as just a
technology issue and they’re not actually translating if this particular business critical

system goes down and it’s in this particular PNL, that’s going to cost us this amount of
money per day and getting to those business terms.

Have you found to have successful pieces of that, Shawn?

I think that it’s become much easier in recent years.

Ransomware has made that

available to everybody.

They can see when when ransomware hits a particular company and the company is down for
two days or two weeks or two months and what the cost of that is and that’s often

publicized.

We’ve seen some recent examples with Jaguar in the UK, domestically in the US, many, many
times different companies that have been impacted that way.

I think the CISO’s role is to enable the business.

You enable it primarily by securing it

but you’ve also got to ensure that you’re not restricting or constricting functions.

I think that when that risk that we’re describing here is effectively communicated, then
the board and other executives as part of the operations, they have a much better

understanding and appreciation and they’re willing to make adjustments if they recognize
what the long-term impacts will be.

So quantifying it is becoming easier because the data is much more prevalent nowadays.

So Shawn, let me add to that a little bit.

Trust, it’s something that is hard to get, easy to lose, right?

And the first time a bad thing happens, for that scissor to show up and start talking
about the bad thing and the risk, that’s too late.

There isn’t trust.

Trust is built up through interaction, right?

Where he comes in, the board’s familiar with him, they know his or her approach, they’re
used to dealing with that person, they’ve seen the behavior that results from that.

So when that bad thing happens, right, which is going to happen to everybody, because IT
is ubiquitous, it is in every company everywhere these days, you want to make sure that

there’s an element of trust between the person talking to the board about risk and the
board.

And also in all of this, the CEO is ultimately responsible.

So even though I’m talking about this is something the CISO should do, the CEO is
responsible for this ultimately.

So, but it’s not just the CEO or the CISO or the CIO or the Chief Data Officer.

It’s a broad accountability.

So how do you get to that fluency that this is all about the business and it’s you’re
bringing in the Chief Privacy Officer you’re bringing in the IT organization, you’re

bringing in the digital transformation team.

The CEO can actually translate things to the board and it become really kind of that team
accountability versus individual accountability.

So I think that

when you talk about accountability, there has to be a human who owns accountability.

In this case, maybe it’s the CISO who owns it.

But it needs to be represented.

And everybody in the organization needs to recognize and understand that it is a team
sport and everybody owns a piece of it.

Everybody’s accountable and a significant breach or a significant incident is going to
impact everybody in that organization.

So there certainly is shared responsibility and liability.

But the CISO, I think you have to have a person who owns it,

who helps to provide the strategic direction, who’s responsible for ensuring that actions
are taken and that strategy is successfully executed.

But without a doubt, it is a whole of company response, not just the executives, but every
single person in the organization, because they’re all users.

They’re all touching the keyboards, they’re all handling data, they’re all responsible for
populating databases one way or the other.

Everybody needs to recognize and understand:

my organization, security first.

We’re leaning in and everybody recognizes that a breach is going to have a catastrophic
impact on everybody as a group.

So that’s well said.

There needs to be a single point of accountability.

The person who’s responsible that you go to, who’s coordinating the exercise.

But a lot of boards will have an executive session where company members and the CEO will
not be present.

And there’ll be a discussion there.

And sometimes where

boards lack expertise is in the cyber space, is in the IT space.

And I think it’s important that boards also have that expertise on the board.

And I say this sarcastically and don’t take it as bad, going to an NACD course on cyber
does not make a board member an expert in this particular area.

I think it’s really helpful for a board to have someone there that when something happens,

and they’re in executive session, that there’s someone on the board who is in the company
where there may be a little breakage of trust who can do that translation and bring it to

the board in a way that’s more understandable or help them frame the questions they’re
asking.

Yeah, so I guess if I were to repeat that, you have to adopt a board member to help you
and maybe with along with the CEO to help be the translator in the room and to reinforce

where they all have a fiduciary responsibility on protecting the company.

And that’s the key word fiduciary responsibility.

So, you know, why would you not have a former CISO or a former CIO or someone of that ilk
on your board to help you think through these things in executive session?

Agreed.

Okay.

So when you start to think about this, I always when I want to frame kind of like the
what’s going on, it’s the it’s the what’s happening.

You know, we’ve got

we got ransomed.

The so what, we’re completely offline and it’s costing us a lot of money per hour per day
of being offline.

And as you said, Shawn, there’s a number of examples where we’re watching companies who
have been offline now for almost three months and can’t support, they’re not paying their

suppliers, they’re not paying, they’re not selling their product, et cetera.

And then it’s the now what, now what do we have to do about, how do we get in this
situation?

And so if you could start to talk about some of the metrics

that you’re finding useful of communicating that.

For me, it’s sort of the legacy, legacy, hardware and hardware and and software that’s
unsupported and 100 % vulnerable 100 % of the time.

But what are some of the metrics that you find useful, Shawn?

So I think that um when you’re providing metrics, the purpose of the CISO providing
metrics is just, I believe, to show the board that there’s progress being made in the

overall security of the organization.

So if last

month we had X number of vulnerabilities that were left unpatched.

We’ve narrowed that gap this month and we’re demonstrating why it’s happening.

And if it’s not happening then there needs to be questions asked.

So metrics have to be measurable and they have to be valuable in terms of demonstrating
that there’s growth in the program.

I think things like the ability for the company to detect attacks.

Right.

You have to have visibility into what’s happening.

So here’s what we’re able to detect.

The speed in responding.

What is the time to respond and remediate or mitigate after detection?

Are we narrowing that gap?

We’ve learned through AI and a bunch of other attack vectors that the inability to quickly
identify, detect, and narrow the gap results in a breach.

It happens regularly.

We’ve seen adversaries that have been on networks for months or years undetected.

Those are some of the metrics.

This vulnerability piece is critical.

I really appreciate when you said, something that’s a legacy, it’s not supported anymore,
no patches, 100 % vulnerable, 100 % out of the time.

Are we okay with that?

Because if we are,

That’s gross negligence if there is a breach.

You knew it was vulnerable and you chose not to do anything about it and it was exploited
and it resulted in these consequences.

That’s not good.

So I want the board to be comfortable that there’s progress being made.

To John’s point, if you’ve got people that are pure business people, don’t have any
experience from a security perspective, they’re really relying on the trust of the CISO.

That in and of itself, I don’t think is appropriate.

You should have somebody with some expertise who can push back in a productive and
professional way.

But you’ve got to you’ve got to demonstrate we’re growing and we’re more secure.

So I’d like to add everything we is fantastic.

I want to add one thing to it.

And I think this is it sort of comes into training.

And you guys have heard me talk about aviation too many times.

But in aviation, when you go out and you have a bad flight or a mishap, you do a hot wash.

You

go back and look at the root cause of like, this is what happened.

And it could be a technical reason, it could be other reasons.

But I think it’s important that when that bad thing happens that the board be brought in
and have it explained to them this happened.

This is why it happened.

This is how we recovered.

These are the things that happened to us in terms of, hey, lost revenue, reputational
damage or whatever it is.

And the reason is,

we all know this, you learn from your mistakes more than you learn from your successes.

So I’m not making light of it, but I think that’s an important addition as part of
training and up educating your board.

So I like to use examples always and real case studies and the sticky story for me over
the last couple of weeks was the heist at the Louvre.

So we lose, you know, $10 million in jewelry or maybe it was even more than that, right?

And so the Louvre was

running unsupported hardware and software through the entire museum and knew it.

And they had the passwords were Louvre and then Thales which was the company that was
supposed to be doing the security of it.

So 100 % vulnerable, 100 % of the time with an easily guessable password and boom, lost
the jewelry.

Do you have any of those kinds of like sticky stories that are sort of like that you can
use as examples?

You can

anonymize it of like this was the bad day and it was material and embarrassing.

Password was the Louvre?

It was I’m writing this up this week.

I didn’t know that.

It’s going to be in my newsletter this week.

I don’t think I have anything quite that embarrassing.

I’m sorry.

But, you know, I’ll come back to what I was talking about earlier.

You know, what do you learn from things?

And I’ve had the privilege of watching a lot of cyber incidents over my career while in
government.

And, you know,

While you’re in DOD and something bad happens if you’re selling to them, Cyber Command is
going to get very involved in your life.

The way you should handle it, because it’s important that you handle it, is a matter of
transparency to go, these are the mistakes I made.

I’d hate to be able to say to CyberComm, well, our password was the Louvre, but you need
to be able to go in there.

The consequences are very high when you’re selling to the government that

Cyber Command will issue a command task order.

That’s basically a rip and replace and all the components, the services will begin
removing that.

So it’s very important to be open kimono when you’re dealing with those sorts of people.

And I think that also translates over to customers.

If you go back and you look at SolarWinds, which everybody knows it’s entered our
vocabulary as a common term, and you look at how it was handled and how they went forward,

there’s a lot of

things in there that went wrong and I’m not going to get into that but if you were to look
at the company’s revenue from the day that happened until now they’re still alive they’re

a functioning company their revenue has increased because they took the steps however hard
and how many missteps they did to improve and product is selling even though solar winds

is generally viewed as a not so good term.

Let’s pull that thread just for a moment on product security because a lot of the products

companies don’t necessarily think of themselves as security companies.

And so they may not have invested in the security of said product.

And so we’re seeing this one to many of, I’m going to go after a product, compromise the
integrity of that product, and then get to a lot of other customers that were really

depending upon them to do the right thing of invest in security, ensure that it’s a
quality product going to market, ensuring that it has its updates, et cetera.

So how do you tell the story of

when a product has lost its integrity and you know what do you expect of the company then
how do you tell that story to the board I don’t have the power of them of the purse.

So I think that you mentioned solar winds and NotPetya shows another one.

There have been more recent ones where the product has been breached.

I think this is one of the risks and the CISO has to articulate the risks to the board.

I think it also brings up

an interesting piece about continuity of operations.

And it’s not just where are we vulnerable?

Because we’re all vulnerable somewhere.

Where are we vulnerable?

Who is targeting us?

Why are they targeting us?

What are the consequences?

If one of those things happens or all those things happen, how do we recover from it?

What does our resiliency look like?

And what is our plan to ensure that we’re able to rebuild the enterprise, regain trust?

What does that look like?

And that has to be an important component of the CISOs communications to the board.

Every company is going to have an incident.

It might be something as simple as a lost laptop.

It might be something like we saw with Jaguar where the entire enterprise is down for
months at a time and they’re losing hundreds of millions or billions of dollars.

What does the company’s response look like?

Who’s responsible?

How do you communicate it?

How do you, from a technical perspective, how do you bring in

outside organizations, partners to help you do this.

It’s another important piece to give the board some level of comfort that we as a company
have the best plan in place.

First thing we want to do is ensure we are securing it all.

When there is a problem, we need to make sure we have a plan in place to rectify it.

That’s kind of the 360 security because you can’t have resiliency without security, you
can’t have security without resiliency.

Well said.

And I think resiliency is an important

piece here that we should talk a little bit about.

I’ve written many articles about software monoculture and creating a dependency on one
software provider.

Names aren’t going to be mentioned.

If you’re thoughtful, you want to make sure that you’ve created some sort of redundancy to
get you to resilience.

So these matters are pretty complicated in terms of how they’re laid out.

I wouldn’t expect many boards to be able to walk through these issues, but I think it’s
important for a CISO to be transparent enough,

CIO to be transparent enough to explain the precautions they’ve taken, how they’ve laid
out the infrastructure to ensure that they’ve thought about different contingencies that

might occur.

And they’re not too reliant on one source for their software.

Yeah, the business continuity, disaster recovery, I like to call them digital disasters.

And what the challenge is, is that while I might have been in charge of security, somebody
else is in charge of restoration and getting everything back up and running.

So it starts to underscore of how do I prepare or how do I pull those scenarios and do
tabletop exercises involving the board?

I know, Shawn you’ve run multiple exercises.

Yeah, I think we’ve done exercises with kind of the line people, CISO and the CISO’s team,
more broadly with the broader executive team and also just with the board.

I think these things, it’s most important is awareness and getting them to understand.

And then from a practical level, trying to determine who’s responsible for what.

I can tell you I’ve been in these exercises.

I’ve led some of them.

One of the ones that was most important and impactful for me, and this was earlier on,
probably eight or 10 years ago, but I sat down with a major financial organization and the

COO of that organization was in the room and there were

20 or 30 people in the room, the CISO as well as many technical people, CIO, CTO.

When we laid out the fictional attack and what happened that had actually impacted the
trading platform of this financial institution, I remember the COO looking down the end of

the table at the CISO, could this really happen?

Pointing up at the PowerPoint description, could that really happen?

And the CISO nodded yes.

And he was shocked.

And then we went through

Okay, well, what does the response look like?

well, oh, Mary’s responsible for that.

Mary’s actually on vacation this week.

Who’s her backup?

That’s Dave.

Dave doesn’t work at the company anymore.

It was amazing to me, but these are the types of things when you go through these
exercises, and especially for a board to go through an exercise where they can actually

see all of the cascading implications and how there are so many moving parts.

And it really helps them to understand and support

and provide resources and to become appreciative, I think, and that provides this.

We talked earlier about it’s a whole team sport.

Well, the board’s part of the team because at the end of the day they have the same
objective as everybody in the company want the company to be successful delivered to their

customers.

So I think those exercises are important and they add great value to this whole process
we’re talking about.

So I agree and we’ve all heard of the learning curve.

So the first time that something happens should not be the real

thing, right?

Because of everything you’re saying, where’s Dave?

He quit.

Where’s Mary?

It’s her day off.

As you work through a tabletop exercise and you review these things, people become more
familiar with the moving parts and how they’re supposed to deal with that.

And contingencies come up in interesting questions.

That’s why people practice things to learn from it and become more proficient.

You want to be somewhat proficient before

a bad thing happens.

So I really would encourage not just one exercise, but routine exercises that kind of, you
know, lift everyone’s boat to the same level.

Build that muscle memory is really important and stuff.

I think that that is essential, but it’s also starting to get that when you have a bad
day, it’s not just the people who are going to restore the systems, the people who need to

secure the systems.

There has to be an entire communication strategy.

And thought through of who’s gonna be the spokesperson, how is my press or media team
operating, where’s my legal, internal counsel, outside counsel, how do I start to think

about that emergency management, if you will, Shawn.

Yeah, no, and that is all, a tabletop is a great way to do that.

Know who the people are well in advance.

You don’t wanna start thumbing through numbers and figuring people out while you’re
scrambling to respond.

You want to be prepared well in advance.

This is an area also where you start talking about governance and compliance and
regulations, right?

Part of the communication process, you you want to talk, first of all, you want to talk to
your customers, of course.

You want to talk to all your partners.

You want to talk to your employees.

And in many cases, you’re going to have to talk to regulators and that then you’re to have
to bring your general counsel in to participate in that because there’s some significant

potential liability issues there.

That can all be gamed out in advance.

It’s not going to be 100%.

It’s not going to be perfect.

But it is going to provide you with enough familiarity, a level of confidence.

It’s going to establish the relationships with these outside folks so that when something
bad happens, and it will happen, depends on what degree it happens, you’ll be able to

respond.

I can tell you that those that are best prepared successfully navigate through these.

And those that are ill-prepared are going to fail miserably.

Well, and it’s visible if you haven’t practiced it and you’re the CEO who what I would
expect in many cases will be dealing with their major customers laying it out.

This needs to be done thoughtfully and as if you’re a professional.

So just responding without having been prepared leaves you in a lurch.

And I think it’s very apparent from how that’s portrayed.

It will also do damage to the company’s reputation and brand.

So coming across as prepared,

with some degree of polish and that you’re in charge, I think, is something that you need
to convey in this.

And you don’t get there without everything that Shawn just talked about.

Yeah, I ran an exercise for healthcare institution and it was only two hours and it was
broken into 30-minute blocks.

And at the end,

the CEO was like, my adrenaline was up, my heart rate’s at 140, and thank God this is only
an exercise.

Just because of the, if you run it right, you have the same amount of stress as this was
really the real day and the bad day.

Well, all three of us have been in government, and all three of us have had to go to our
boss, who were probably fairly senior political appointees, and deliver bad news.

It’s not easy.

It just isn’t.

But you have to rip the band-aid off.

You got to do it.

Yeah, so in the government, we would say it’s a bottom line up front.

Bottom line up front, start all messages to the board with the bottom line up front.

I’m here to tell you about A, B, and C.

And today, I’m gonna tell you how sick our organization is, because we have this many
legacy systems running our core business.

And this is what we need to do about it.

And this is where I need your support.

And never leave, especially when you’re briefing Congress, never leave without your ask.

You have to have the bottom line up front and then what you want from them.

I want your support.

I need money.

We need more people.

You’re 100 percent right.

But this is where the trust comes in.

If the board trusts the CSO because, she’s been up front with them previously, they’ve
been through an incident previously.

She’s got, you know, command of the room, if you will, there is going to be that sense of
responsiveness and they’re going to be much more willing to provide the ask

without a lot of questions, not that they shouldn’t ask questions, but when there’s a
level of trust, the program’s been built such that it just makes free flow of information

much, much better.

So our regulators have been basically telling us we need to have strategies, policies,
accountability, adequate funding for cybersecurity, digital resilience of your business.

And the board is supposed to have a regular cadence of meetings and show that they’re um
actually meeting their fiduciary responsibility.

17 % of the organizations say that they’re not ready for a bad day.

And a lot of boards are still only doing this once a year, or they’ve delegated it to a
committee and not having the full board.

What is your perspective on that?

I agree that this has got to be one of the most significant risks, if not the most
significant risk, for every organization, because their entire enterprise relies on

digital landscape.

So therefore, as part of ERM, it’s got to be something that’s

provided a lot of attention.

Every board is a little different, every company is a little different, the level of
familiarity and the level of expertise is different.

So there’s not really one size fits all, but I would air on the side of more is better
than less because of the significance of this.

I don’t have an issue with a particular committee, the audit committee, as an example
being the responsible entity and that the audit chair

being almost matrix to the CISO where the CISO has a direct line to pick up the phone and
go over and talk to the audit committee chair if there’s a problem.

But I do believe that the broader board needs to have an appreciation and understanding
and that does require more frequent communication.

So I’m like you, I’m not wedded to the audit committee, but I do think that’s a logical
place to put it.

And it really depends on how the company wants to handle it.

So there’s no formula per se, but.

I guess there is a formula in that it should be connected to somehow in the board.

But we have to really understand the world is not getting less risky in terms of cyber.

It’s really getting more risky.

And we can go into all the reasons why, but they should be apparent because they’re in the
news almost every day.

So you can’t put your head in.

You can’t bury your head in the sand like an ostrich.

You have to really start going, ok it is happening.

I’m seeing it happen.

It’s probably happened to one of your friends in business.

How am I prepared?

So it starts with asking the simple questions from the board.

So what do we do when this happens?

And get the ball rolling.

That’s the first thing you have to do to begin getting prepared.

I’d add something else too.

As part of this whole trust thing, I don’t think the CISO should always be just responsive
to board questions.

I think the CISO should be proactive.

So as an example,

we’ve been talking about AI as a significant risk.

It’s a new arrow in the quiver of the adversaries.

It would be great for the CISO to be proactive and come to the board and say, hey, you’ve
probably been hearing about it.

Let me tell you what we’re doing here.

That helps to establish trust that the the CISOs paying attention.

You know, hey, I know we’re we’re building a new factory over in in India.

Here’s some thoughts and concerns about this from

my perspective as a CISO.

Here’s the types of things we should be thinking about.

I think being proactive, it demonstrates the awareness it demonstrates competency it
builds trust.

And I think that it really allows the CISO to help to enable the business.

So Shawn I never thought about what you’re just saying and I love it.

And the CFO is similar tied to the audit committee chair.

If there’s a problem coming up where

hey we’re going to have problems paying around the paychecks or some financial issue,
there’s a reach out to the auditor.

The trust is built between those two people.

There’s no reason.

There’s no good reason why a sizzle should not be doing something similar.

Be proactive in your communications.

You know, I look at it as also what what questions should the board be asking?

That’s not, that’s just in general.

Do we actually know all of our business critical systems?

Do we have visibility into all of the human and non-human identities?

And are we prepared for the next wave of identities with agentic?

Do we actually understand all the privilege accounts and are we actually scanning the dark
web for, you know, our credentials and things like that?

If you, us, we can’t answer those questions to the board, that is a red flag in my mind of
that we don’t have the capabilities that we need to have.

We’re not really prepared for that, for, you know, uh being resilient business.

So earlier in the conversation, I mentioned that it might be useful for a board to have
someone with IT and cyber experience on the board.

And a practical example, I’m on a board of a company and they were changing their HR
system, which that transition always entails risk as anyone knows.

But we were briefed.

But really understanding the risk came from me on the board because I was asking questions
from experience transitioning those systems

which was really helpful for the board to understand where things were.

And by the way, it was very helpful for the CEO because he was not an IT guy.

So really brought to the front the risk and then a rich discussion about, I understand
that’s a risk and here’s how I’m managing it, is an important discussion for the boards to

have as you go through changes to your system or even understanding your critical systems.

So the CISO needs to understand that they’re briefing

the people who have the duty of oversight of the company.

They need to tell them what are the real risks to the business and enterprise risk and
then business terms.

And they need to actually discuss the plan and advocate for what they’re gonna need from
their board members.

That’s absolutely true.

And I have dealt with many boards and I’ve dealt with many CISOs.

And I know that sometimes CISOs are reluctant to do that because

their boss may be sitting at the table and they are not interested in providing
information that they should be because the board has that fiduciary responsibility and

they should hear the totality of what is at risk.

But they’re reluctant to do it and I would suggest to CISOs that again professionally done
in an appropriate way but it takes courage to provide that sometimes and you may

break a little glass, but I think that you’ve got to do that and if you’re in a situation
where you feel you cannot provide legitimate authorized information that the board is is

required or should hear, if you’re not in a situation where that environment is conducive
to that you need to look for a different job.

It’s hard.

Personal story without getting into particulars as a departmental CIO

I have a lot of component CIOs and there was an issue at one of the components where the
CIO for that component was afraid to talk to his leadership.

I did it.

It shouldn’t be like that.

You need to do it.

And once I talked to the leadership, you could see it in their faces, the surprise, but
they also realized, well, we have to do something.

So you’re right, it’s hard to break glass, but you need to do it.

I did it respectfully.

I did it simply.

And we got on to fixing the thing.

I think I’ve told many board directors that when you’re sitting at the table, you need to
create an environment that is conducive to open discussion.

If you as a board director are sitting trying to catch somebody doing something wrong and
you create an environment that restricts free dialogue, you are a problem.

You’re creating issues for that board.

It needs to be conducive.

It needs to be collaborative.

And again, we all want the same objective, right?

We want the company to be successful.

We want to minimize risk, we want to delight our customers.

That’s what we should be doing as a company.

Board has an oversight responsibility.

The CISO has an execution responsibility.

But together, you’ve got to create an environment that allows that to happen.

And if you are not creating that environment as a board director, you need to go somewhere
else.

But we need to communicate risks and mitigate the risks.

Correct.

and together we’re the team.

And we need to do it in a delightful way, because I like that word.

Delightful.

Well, this has been so much fun to talk to both of you, John, Shawn, thank you.

And that is the conclusion of our SHIFT podcast.

I’m Melissa Hathaway, and this was Communicating Cyber Risk in the Boardroom.