Interacting with the board on cybersecurity: An interview with ex-CISO of Credit Suisse, Jason Mallinder
In the field of corporate cybersecurity, the differences between the boardroom's polished table and the IT department's array of monitors might seem insurmountable. The task of bridging this gap usually falls to the Chief Information Security Officer (CISO) who must translate the technical world of cybersecurity into the clear-cut business language of risk and strategy.
For Jason Mallinder, this task was as challenging as any cybersecurity threat. Over the span of his 25-year career at Credit Suisse, a prominent global bank, he witnessed the evolution of cybersecurity from a niche concern to a board-level agenda item; and along with that came a series of learning curves and triumphs. In this interview, he delves into the complexities of communicating cyber risks to the board — a journey with both challenges and lessons.
Jason Mallinder is the former Global CISO and a Managing Director at Credit Suisse. He was responsible for information security, including cybersecurity and technology risk management, globally. Having joined in 1998, Jason spent 25 years at Credit Suisse and held numerous roles in technology and operational risk during his time at the bank.
Jason is a certified information security manager and certified risk manager. He chaired the Investment Banking Information Security Group in the UK and worked closely with the Bank of England and UK government on cross-sector cyber defence development, testing and exercising programs.
Dr. Manuel Hepfer, a cybersecurity researcher at ISTARI and Oxford University, sat down with Jason to talk to him about his experiences. This interview is a candid exploration of the key moments and strategic pivots that have come to define effective board-level cybersecurity communication.
The interview
Jason, looking back at your tenure as the Global CISO, could you describe a particularly challenging experience you had while engaging with the board on cybersecurity issues?
'I recall one instance vividly, where I approached the board to discuss the potential risks associated with active USB ports in the early days of my tenure as a CISO. I wanted to highlight a serious cyber risk to the board: the potential loss of data via active USB ports. I was proposing to lock them down.
'But the board meeting did not go as I had intended. I was perceived as restricting business. One comment I received was that the data was highly complex and extremely difficult to make meaningful by the bank itself, so how would any outsider do much harm with it? It ended up being a very challenging meeting.'
That must have been quite difficult. How did you pivot your approach to achieve a more favourable response?
'When I returned two months later, this time I was equipped with better data and a different approach. I realised that to communicate effectively with the board, I needed to speak their language. For example, I showed how many gigabytes of data were put on USB drives each month. The conversation was then about risk. Consequently, the board was much more receptive and understood the critical need to implement stricter controls over USB ports. The board's response was a resounding acknowledgement: 'You need to restrict USB ports.'
'For many executives, even the most senior ones, a presentation to the board of directors is the most demanding test of leadership communications. CISOs also commonly struggle with this challenge. While conventional advice like "tell a story" or "use fewer bullet points" holds true, it often falls short in addressing the unique challenges certain scenarios present, especially technical ones. I have had many personal experiences engaging with boards during my tenure as a CISO and have discussed the topic with many peers over the past few years.'
What makes reporting to the board so challenging for so many people?
'The board of directors is a diverse forum with no comparison to other groups most executives regularly engage with. It often comprises business leaders, academics, former CEOs and current financial officers, bringing expertise from different industries and fields. Some members have served on boards for decades; others may be brand new.
'It's vital to tailor your presentation to connect with each board member's understanding. For example, I learned to focus on changes in the threat landscape, discussing the correlation with our business risks. I spoke in terms of risk reduction in alignment with the company's risk appetite, utilising scales and indicative dollar values to steer away from granular financial discussions. It was about contextualising cybersecurity within the broader spectrum of enterprise risk and business continuity.
'When reporting to the board, the objective is not to discuss quarterly KPIs or other information that’s readily available — board members can access that on their own. Focus Instead the business impact and risk. The presentation should cover the most pressing challenges the organisation is facing (in plain language) and outline how to address them. Remember, the board has to be able to evaluate all enterprise risks.'
What are your top tips for CISOs for effective board reporting?
'First, I would suggest people perform a simulation to promote knowledge-sharing and engagement. These tabletop exercises can help impart knowledge but they will also help you grasp the board's expectations better. As a CISO, you will probably learn as much as the board members themselves, so you can update your incident management playbooks accordingly. Again, a board presentation is a two-way street.
'Second, I would start with the one thing you want the board to take away. You should not assume that you will have a lot of time with the board. During my last five years as a CISO, I had very few hour-long slots. More typically, I would have 10 minutes to make my points. The board may or may not review your material beforehand but regardless, it’s a good idea to start with the one thing you want the board to take away from your presentation and be sure to align that message with the board's priorities.
'Third, Focus on the business context and show only very few KPIs. Very early on, I had metrics for everything, up to the point where I had over 100 different KPIs. The board told me that they could not see the wood through the trees, so I scaled those down to 10 KPIs. Even then, it’s not always about what information you’re sharing but how. For example, I once shared a KPI that said 2% of our servers were unpatched, which was effectively meaningless to them without business context. I clarified that the payment systems were exposed to a critical vulnerability, and if compromised, we could lose our ability to make payments. They then understood the message much more clearerly.
Lastly, Work with a board member before the meeting (if you can). I was lucky to have been allocated a member of the board who helped me prepare for the meeting. That board member did not have deep knowledge of cybersecurity but helped me anticipate some of the questions and concerns others might raise during my presentation. As a result, I was better prepared and delivered far more value to the business.'
Background
In 2023 Manuel alongside colleagues Michael Smets, Professor of Management at Saïd Business School, and Rashmy Chatterjee, CEO of ISTARI, conducted in depth interviews with 37 CEOs for a first-of-its-kind study about cyber risk - The CEO Report on Cyber Resilience.
Following on from the success of that research and from our collaborative work on cyber resilience Saïd Business School and ISTARI have launched a first of its kind custom cybersecurity governance enablement programme for boards. The Lighthouse Programme aims to demystify cyber risk by putting it in the context of business risk and risk appetite.
