As security becomes a top priority for businesses around the globe, the chief information security officer (CISO) is increasingly tapped to present to the board of directors about the status of risk mitigation efforts and plans for the organization’s security strategy. In fact, Gartner estimates by 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually.
But presentation doesn’t always come naturally to security leaders. And many are being asked to develop their business acumen to be prepared for regular executive and board meetings where the spotlight is on the CISO.
“Boards are becoming increasingly interested in security and risk management; however, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” said Rob McMillan, research director with Gartner, who offered suggestions for security managers in a “five slides in 15 minutes”-style presentation. “It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.“
What other tips and best practices should security leaders take into their board presentations? Here are some takeaways from industry experts.
Know Your Audience
A CISO’s first priority when trying to make a positive impression on the board is to get to know them outside of meetings, said John Hellickson of Kudelski Security.
“Get to know the board members and their backgrounds,” he said. “Spending time to research each Board member’s background and understanding any specific areas of focus they may have will help better prepare for questions they’re likely to ask, and better communicate with them generally.”
Investing time in getting to know Board members, and discussing security throughout your organization, helps position the CISO as a true executive leader, said Doug Martin, Director of Security with PCM.
“Get out of your office and get in front of people. Meet with key leaders, attend their staff meetings, focus on being recognized as a ‘leader’ not just the security leader,” he said.
That time spent doing research and having conversations outside of a meeting setting will have CISOs better positioned for success once in the boardroom.
Learn to Speak Their Language
Leading with information that is too far down in the weeds with security practices may leave board members confused instead of educated. It’s essential for a CISO to present security in terms the board can understand, and that means an explanation of the financial benefits of investing in security initiatives, and a clear breakdown of ROI for projects. The reasons for an investment need to be articulated in a way they can relate to as executives with an eye on the company’s overarching mission.
“Your CEO doesn’t want to hear that the company has a 43 percent chance of being breached and having the personal data of hundreds of thousands of customers compromised,” said Amos Stern, CEO of Siemplify. “Things need to be quantified. Instead, explain that because 600,000 customers are at risk, the company could potentially lose X million dollars due to noncompliance fines and lawsuits. If your company is publicly traded, the CISO also must convey the potential effects of a negative brand reputation on stock prices.”
Having a presentation that can articulate the value of security as a business enabler will capture the board’s attention.
“CISOs who can clearly articulate exposure to loss and how security approaches are effective at mitigating loss to acceptable limits will demand attention,” said Steve Preston of CyberArk. “While CISOs should be prepared to answer questions surrounding vulnerabilities and the latest threats, this should not be the crux of their communication as it fails to address the true business impact of security. CISOs need to be clear in communicating what the monetary risks are related to cybersecurity, and how security controls mitigate those risks and provide ROI.”
Provide Meaningful Examples
Few factors are more effective at opening eyes in a presentation than actual examples. Experts we spoke to suggested pulling in real-world speakers who could discuss having “been there” when it comes to a breach or other security incident.
“Use examples from industry peers to help promote the case,” said Greg Arnette, technology evangelist at Barracuda Networks. “If in retail, find other retail examples. Boards know their industry peers and won’t want to be the exception to the rule. If peers are acting badly, use that instead to promote being the positive alternative.”
“Having someone from the c-suite of a company that has been breached talk with the board is a good best practice—even better if that company is within the same vertical of your company,” Jackie Groark, director of Security/CISO, at Veristor. “Another best practice is showing them how a real cyberattack would have impacted the company’s bottom line if it had been directed at their company. Showing the board what it would have meant in real dollars either through customers lost, fines and penalties or lost revenue due to production lines being down or websites being unavailable, just to name a few, is a great way to represent it in business terms.”
Don’t Get Too Technical
Board members rarely understand the technical jargon that so many security practitioners are accustomed to using daily. As mentioned earlier, Board members are hoping to hear from a CISO who knows the language of business, and that means overly technical presentations are off-putting.
“When communicating with their board, most CISOs need to change their tone from technical ‘project-based results’ to ‘what are the business implications of a potential breach’ and ‘what has the team done to improve the company’s cyber-resilience,” said Mark Weiner, CMO of Balbix.
Instead of long, technical reports, go into a meeting armed with information such as which projects the security team is working on, and how each will make a difference, both in risk posture and in accomplishing business goals.
“The easiest way to get the board’s attention is to put things in terms of business risk rather than technical risk,” said Tom DeSot, CIO of Digital Defense. “Oftentimes putting things in financial terms is the best way to gain the attention and respect of a board. As an example, stating that the company could suffer from a breach is one thing, but then putting into terms about how much it would cost in real dollars if that breach occurred will better illustrate to the board the severity of the situation.”
Make the Invitation Worth Their Time
Audience with the board is the CISO’s time to put security front and center for an organization. With preparation, clear plans and a presentation that casts security and risk in a framework that is understandable, security can be seen as an enabler that helps bring the business into the future.