author photo
By Bruce Sussman
Fri | Jun 21, 2019 | 10:54 AM PDT

JPMorgan Chase CISO Jason Witty has a unique way of describing the cybersecurity threat landscape. 

It's an analogy anyone can understand—even a board member struggling to comprehend technology and risk. 

"There’s a new type of weather every quarter on our planet, and none of the other types of weather ever go away."

New threats join the old and get added to the list. Got it.

Communicating cybersecurity to the board of directors

So how do you communicate the implications of this to the board? We interviewed Jason Witty about this. He is a SecureWorld New York Advisory Council member.

"You’ve got to be really, really good at the translation of whatever that technical thing is to a risk, that a board member could understand, or the CEO could understand.

It’s just like any other business risk. 'Here’s the probability of this risk happening, here’s the impact if it did.' Context and implications are the two most important words. Context and implications."

Communicating cybersecurity to the board is also a major priority for CISO Zaki Abbas, who leads security at global asset management firm Brookfield.

"I think what's important right now is that boards are actually very interested in cyber," says Abbas, an Advisory Council member for SecureWorld Toronto.

"I mean, there's a lot of regulation, legislation out there now around making sure that companies, public companies specifically, have a very well controlled cyber organization. There's corporate governance that's in place as well. And it is one of the top risks these days on the board’s mind."

[WATCH: Our complete interview with CISO Zaki Abbas on communicating with the board of directors about cybersecurity.]


He sees part of his CISO role as helping the board to understand a complicated topic.

"I think your information needs to be clear it needs to be concise and it needs to be actionable and insightful. It needs to be spoken in a language where they are able to understand from a financial perspective, what impacts can be, if they don't do a particular type of a thing."

And he feels strongly about reminding the board that there is no such thing as being finished with an organization's security journey.

"I mean, with cyber there needs to be the continuous caring and feeding of the program. It's a program that requires continuous improvement. And that's something very important to explain to the board, that there's not one solution that will solve all our problems."

No one solution; however, there can be benefits to security leaders and the business.

Result of clear cybersecurity communication with the board

JPMorgan Chase CISO Jason Witty describes those benefits like this:

"You have to present it as a business problem and then that will help you get the funding you need, the staffing you need, the speed to close down that risk, and the support to have that speed."

Cybersecurity reporting is increasing in significance

Boards increasingly expect IT security leaders to report on the security posture of the organization.

Cybersecurity continues to rise in prominence, and many organizations are expecting a modern cybersecurity program which tracks its status.

Demetrios "Laz" Lazarikos explains:

"The modern cybersecurity program will be as critical as reporting on sales revenues (or losses) in monthly and/or quarterly reporting to executives, the board of directors, investors, and partners."

Laz held Chief Information Security Officer roles at vArmour, Sears, and Silver Tail Systems. He was also a keynote speaker at SecureWorld Seattle.

Laz opening keynote

[RELATED: CIO vs. CISO and How the Roles Are Changing]

[RESOURCE: Complimentary SecureWorld Webinars]