Cybersecurity has been gaining traction as a “board level topic” over the past several years. While boards of directors, along with executive management, all want the answer to, “How secure are we,” security professionals know that that answer doesn’t often come wrapped in a tidy little box. Yet, CISOs often express frustration at what and how to present to the board, exactly.
Anyone who has reached a CISO level knows that reporting technical details like quantity of blocked malware or alerts handled isn’t particularly useful to or accepted by strategists who have the goal of running an organization with the least amount of friction possible so that revenues can grow and market opportunities can expand. That said, CISOs are often at a loss for what to present because of some commonly reported missing puzzle pieces.
If you had one shot, one opportunity
First, clear guidance on what’s expected from the CISO isn’t communicated. Boards don’t have a deep understanding of security and therefore don’t necessarily know what to ask of the security program; they rely on the CISO to provide that guidance. Unfortunately CISOs aren’t equipped to deliver a message around security’s impact on the business, or don’t feel comfortable redirecting the conversation when/if the board is asking the wrong questions (e.g., “How secure are we,” or “How does our security compare to other companies’ security”).
Second, CISO’s largely don’t have a firm grasp on what’s important to the business. Security is mired in its own world of threats, attackers, exploits, tools, and vulnerabilities and commonly doesn’t stop to determine how and where those things fit in to the business’s goals. Because business alignment is absent, and because that business-level view is critical to the board and executives, most CISOs report into a CIO or someone who, themselves, reports into the CIO. The hope is that the CIO can filter security through its business-focused lens, though when it’s the CISO standing in front of the board, it’s entirely up to the CISO to make those connections.
Third, even if business strategy is well understood by the CISO and his/her security team, it’s really hard to pare security down to three or four strong talking points. This last fact is the biggest sticking point when it comes to the presentation itself, but it’s also precisely what the CISO needs to do.
To seize everything you ever wanted
Before the CISO can get there, however, it’s helpful to put a plan in place to determine the building blocks upon which the board presentation can be built. Christine Vanderpool, Chief Information Security Officer at Molson Coors, says the first questions CISOs should be asking are: Who are the board members who will be in attendance? What are their backgrounds and experience? What do they care most about? Starting from this perspective, the CISO can begin to form a presentation that addresses board members’ needs. If the answers to some of these questions are unknown, that’s the perfect opportunity for the CISO to probe deeper and learn what’s on the minds and what motivates board members. This knowledge will allow the CISO to start tying security’s efforts to business needs.
Another important factor CISOs should consider before presenting to the board, says Vanderpool, is that “the sky is not falling” (most of the time, anyway). Security isn’t rosy all of the time, but a concentrated focus on the negatives—especially in the case of “what if” or potentiality—will do more harm than good when it comes to developing a trusted relationship with the board. “Be you and be honest,” says Vanderpool, so “find the balance” between pointing out areas of concern and sharing what security is doing to keep the organization secure. Doing so is a move towards risk management, which is really what the business cares about versus, “how secure are we?”
When it comes to giving a great presentation, Vanderpool advises CISOs to “choose three things you care most about and are therefore focusing your security team on.” This is not to say that CISOs should pick three things at random, rather, Vanderpool’s point is that CISOs can’t boil the ocean, either during a 60 minute presentation or when running an effective, business-aware security team. The CISO needs to know what’s most in need of protection—certain data and systems that handle that data, for instance—and build a programmatic approach around that. The desire to “protect all the things” exists in the minds of too many security practitioners, and that’s where the industry continually goes wrong. CISOs should focus on business value, at the operational level first and then as the highlight of a board presentation, to be effective with communication (during a board meeting) and to reduce risk (which is communicated during the board meeting).
Would you capture it, or just let it slip?
Preparing for a board meeting—whether you’re a first-time CISO or a seasoned CEO—is a daunting task. Instead of looking at the big picture, break down the steps it takes to achieve a great presentation and tackle them one by one. Just as it can be mesmerizing to look at today’s cyber threat landscape and think, “there’s too much against us,” taking a programmatic approach to creating that presentation will help you determine (most importantly) what the business most values and then show the actions security is performing to help the business achieve those goals.