Building an Effective Relationship with a Board Colin Anderson, Chief Information Security Officer at Levi Strauss & Co sits down with Steve Moore to talk about interacting and building an effective relationship with an organization’s board, managing expectations and sharing narratives that resonate, the makeup of a board meeting, and the different personalities associated with it.    What the CISO & a Board Have in Common The CISO and the board share something in common, which is to manage risk and make the business successful. However, the CISO has to earn the board's trust even when it's well established that he is the security subject matter expert.    Successful relationships must be nurtured, and this one is no different. Each board member comes to the table with a different point of view, background, expectations, and personality. Getting to know the board and how to best communicate with them is one of the CISO's top priorities.   Advice to a Younger Self The first rule is to know your board, because every board is different. Some are savvy & cyber aware while others have little technology & security exposure. You need to do your homework to better understand your board members' areas of expertise and experience. You want to know if any of them have had a security incidence or breach in the past, and if they have a deep understanding of security.   Another important question to ask yourself is whether you know any security leaders that have worked with some of your board members.    It's also important to know your narrative; what's the plan for your security function, how do you measure progress, and how best do you communicate and earn the trust and support from that board? I've seen a lot of leaders present in front of board committees and the most common mistake I see is the presenter not being prepared for that board audience. The presenter knows his stuff but he fails in communicating it in a way that earns the board's trust & confidence.    That story-telling skill is very important because your board is going to remember the narrative you tell them. They may resonate with the statistics you put in front of them temporarily, but a few months down the road they're not going to remember the numbers. They will remember the narrative you gave, that example you crafted to emphasize the point you wanted to put across.   The Different Types of Boards There are different types of boards, where some are security savvy while others are not. Generally, they don't care, they have an IT background, or they don't. But a day of reckoning is here for them. They need to figure out and no longer be ignorant to these issues or be dismissive of them. They should know what the security department, and especially what the CISO, does.    However, the security topic with boards is relatively new and still in its infancy. They don't really know how to measure whether that security program or security leader is being effective. The NACD (National Association of Corporate Directors) has put out some pretty prescriptive guidance for boards on how to effectively manage security risk. This helps educate the board and also helps the security leader know how the board will be measuring them.   Presenting to a Board Earning your board's trust is the most important thing you can do for your long-term success as a CISO. Educate them & build that partnership where you both work to manage risk to the business and enable it succeed.    The other board members bring skills and experience you don't possess, and you have skills and information they likely do not possess. They're looking at you as a subject matter expert on security to help them make more informed business decisions. So if a situation is bad & there's a problem, don't be afraid to put that concerning information to your board. Don't be afraid to say that you don't have all the answers. Tell them what you're doing or what you’re not going to do & why. In reality you have to make some har