6 Tips for CISOs Selling to the Board
There’s a shift taking place in the boardroom: With the recent high-profile cyberattacks like WannaCry and NotPetya, cybersecurity has been placed in the spotlight, making it a much more prominent topic than it was five years ago. Boardrooms are abuzz with questions about these breaches including “how did they happen?” or “what can we do to prevent them from happening to us?”
It’s because of this newfound media attention that CISOs are now being invited into the boardroom “before a breach occurs” to discuss their company’s position in the event of a cyberattack. Recently, leading advisory firm Gartner, predicted that “by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity,” putting the pressure on CISOs to deliver information on cybersecurity posture, risks, threats and incident response plans to an audience who may not have the same level of technical understanding as they do.
With this new level of visibility in the boardroom, many CISOs may struggle to take complex issues – such as how the cyberattack occurred throughout the kill chain, what information was compromised and what the cost is to the bottom line – and show how they are aligned with overall business strategy and risk profile without getting lost in technical jargon.
To prepare for this new level of visibility in the boardroom, CISOs should stick to the following tips:
- Speak the Same Language: Walking into the room and presenting facts that attendees may not understand will only result in confusion and misunderstanding. While board members are very intelligent leaders, they may not be technically versed when it comes to the ins and outs of cybersecurity. CISOs should invest time to learn who their audience is and provide a presentation that will resonate with them while also providing material that they will understand in a format familiar to the board. By presenting information on relevant issues and excluding irrelevant information and security jargon, CISOs can cut down on fear-mongering. Also, it’s important to be prepared to answer questions related to recent data breaches in the news and/or at peer organizations.
- Stick to the Facts: CISOs can show up armed to the teeth with technical stats and graphs but at the end of the day, the board cares about three main things: risks, cost and impact. While it’s unlikely that the board will care about new technologies or features, they will care about the risk to the business, the impact of a proposed plan, and how much it will cost to implement a plan. The CISO should also be prepared to review risks compared to industry peer organizations and trends in security operations projects or posture. Bringing hard facts on risks, cost and impact will go further with the board than any chart or graph.
- Present a Cohesive Action Plan: After CISOs present the facts to the board, the next step is to outline a recommended course of action. This action plan should include clear information on budgetary needs that cover all resources from technology to staffing.
- Be Realistic About Budget: Being prepared to discuss how the security budget compares with industry peers, and why they should spend money on specific challenges, shows board members that the CISO is not just thinking technically but is also focused on the overall business's bottom line. When sharing budgetary needs, it’s important to be practical in what you are asking for and not too far reaching in order to keep the boards interest without seeming too lofty with overall ambitions.
- Share Staffing Needs: Having the right team in place is essential to security operations, which is a challenge in today’s market as skilled security professionals are in high demand. CISOs need to be ready to address this challenge while also coming up with a proposed solution.
- Consider the Consequences: When giving recommendations to the board, CISOs need to deliver an action plan that leaves the board confident in their recommendation. Identifying the cost-effectiveness of being compliant vs noncompliant (which can include stinging penalties and large fees) can ruin a company’s bottom line as well as their reputation. CISOs need to address how a potential breach could affect customers and their loyalty. Time has shown that customers are infinitely more loyal to companies that secure their information over ones that skirt the compliance rules. Once a breach occurs, most companies see their loyal customer base waver, leading to falling stock prices (which results in less money being made for the shareholders). Risk management leader Kroll reports that in 2014, the cost of lost business from a data breach increased from $3.03 million to $3.2 million which includes abnormal turnover of customers, increased customer acquisition activities and reputation losses and diminished goodwill.
By presenting well thought out facts and delivering it with confidence, CISOs will find themselves in a unique position. Beyond being a member of the C-suite, they are the company expert and educator, someone a board struggling with the cybersecurity unknown will appreciate and rely on.