Monday, February 14th, 2022
7 Tips On How To Talk To Your Board About Cybersecurity
Many CIOs and CISOs are faced with challenges when it comes to communicating their cybersecurity strategy to board members and making them aware of critical risks to the organization. In today’s world where threats are constant, more risks mean more budget needs. In order to justify the desired cybersecurity expense, you must clearly present the risks, the plan you will implement to protect the company’s assets, and the rationale behind the cost.
You must demonstrate you and your security team’s competency in the most effective manner that is going to translate well and leave your board with no questions. However, delivering your content, figures and metrics into a form that translates well to the board can be quite challenging.
Here are our tips for success that you can follow when talking to your board and ensuring your information is translating in the most effective manner:
1. Lead with Resilience and overcome your Fear
Managing your fear and expectations is the first aspect you must overcome when presenting to your board. It is vital that you prepare and feel ready for any questions you may get asked. Practice makes perfect in this area. Keep your board focused on the main points you are trying to get across. Step out of your everyday mindset of running your SecOps and IT operations and get to where your board members are and think like they do. Getting aligned on board priorities in advance shows strategic prioritization on business objectives and helps to ensure common understanding for all stakeholders.
Just as security teams are focusing their efforts on detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable does occur – a major element in this is recovery.
2. Build Engaging Boardroom Content
Be concise: Avoid providing too much information, and eliminate technical jargon. Leave the acronyms at the door. Less is often more, use minimal text, and include graphics and visuals to convey your key points and communicate your insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact. Welcome strategic discussion and dialogue between directors and senior management.
Measure the effectiveness of your security program continuously. These should introduce metrics that help identify areas of excellence, weaknesses, and threats that require immediate attention. A big step in this process is to determine the desired business and risk management outcomes, so metrics more clearly guide decision-makers toward improvement.
Effective communication with board members and executives is vital to getting your cybersecurity agenda across. Supplying your board with the right information can ensure they can support your goals to protect against today’s often unpredictable security threats.
3. Conduct an independent gap analysis 3 months in advance
Get an independent view of your current cybersecurity state and present the facts. Even if you do have a good security team in place, independently reviewing your systems on a regular basis helps you get an accurate picture of your risks are and how you benchmark against best practices. If your organisation has a strict compliance mandate, chances are that your clients or regulatory bodies request regular proof of third-party audits. A third-party auditor can help you understand how your organisation’s security architecture compares with those of your peers, how it compares to industry standards and what your overall security maturity level is. Conducting a gap analysis is a great way of understanding which specific areas of security you need to focus on improving. The results of this gap analysis can be added to your risk register, which is then tracked, quantified and actioned. A snapshot of the risk register can be presented to the board which greatly facilitates the budget discussion.
4. Bridge the Gap
CISOs should be prepared to communicate their organisations security posture highlighting the gaps and potential threats in their security programs. In this case, leveraging security frameworks can be effective. While your board may not fully understand technical frameworks such as MITRE ATT&CK, and NIST, these frameworks provide a programmatic, logical, and standardized way to evaluate the completeness of a security program against industry benchmarks. Allow them to understand by using these frameworks to provide a contextual overview of the technologies your organisation has in place (such as next-gen firewall, SIEM, and endpoint protection) as well as the technologies they plan to implement to close gaps in their architecture (such as cloud access security brokers and network detection and response). Measure security maturity to show current state and progress over time.
5. Focus on the Risks versus the Rewards
A critical success factor for CISOs in the board room is outlining the priorities of the security team to key business objectives. While the security team might consider a certain task a significant/major achievement, the board may not have an appropriate understanding of the business implications of this effort.
CISOs need to brief the board with the organization’s top objectives and how they are directly supporting them, the conversation will be much more productive.
6. Be ready for the questions your board will definitely ask
It is very unlikely that your board will ask basic questions like: How secure are we? Why do we need more money for security, when we just approved X last year?
The questions they ask will be much more specific and precise. Focus on areas such as – Revenue/mission, cost (future cost avoidance and immediate decrease in operating expenses) and risks.
7. Look to the future
You must have an end goal in mind. If CISOs can demonstrate a clear understanding of business requirements and objectives, and talk about what security measures need to be in place to achieve them, it reframes the conversation shifts from if to when.
In the event that you can’t secure the funding you need, work with your board to build a plan for covering one department at a time with the budget you can get. This allows you to prove the effectiveness of your recommended security tools and practices to the board over time—and show what happens to the departments left exposed.
Need more tips? Come to our Zero Day Con event on March 10th in Dublin. Click here to get your tickets.