At the "Prepare" stage, CISOs must determine what to say, how to say and to whom to say it. Tips for this stage include the following:
Reporting does not drive action; be clear in expressing what outcomes you are looking to achieve.
Engage with government agencies and others that have a reputation for high-quality threat intelligence.
In the cases when statistics and KPIs are useful, they should not be the starting point for creating the message.
At the "Engage" stage, CISOs must lay the foundation for success, have the conversation and build the board's confidence. Tips include the following:
Don't try management by decibels.
Be relentless in demonstrating business value.
Leverage everything you can; there is no time to sit on your laurels.
Don't try to educate the board in the meeting; no individual will want to show ignorance of the topic in front of the others.
At the "Review" stage, CISOs must find out what happened, assess the success of the iteration and identify the next steps. Tips include the following:
Hearsay is a form of feedback; although its content is not always reliable, it carries an indication about the general appreciation of your performance in front of the board.
Look for and review the minutes--if possible check with the minute-taker to see what he or she going to record against your topic before they publish the minutes.
Engagement typically starts below board level and works up one level at a time.
Meeting your objectives is not always essential, it may be that the iteration improved engagement in ways that you had not anticipated.
Sign up for CIO Asia eNewsletters.