By Ed Bellis, co-founder, CTO, Kenna Security
Historically, when CISOs have been called to speak to their organization’s board of directors, it was an uncommon event. Just a decade ago, the CISO who presented more than once per year was a rare bird.
Times have changed.
Boards of directors are taking an interest in cybersecurity as part of their broad risk management duties. More than ever, they’re summoning CISOs to explain where the organization stands in terms of cyber risk, and some are going to their board every few months.
For most, getting called before the board is a source of anxiety. It can, however, be a source of opportunity for CISOs who adopt one simple skill.
The central skill CISO’s need to learn to present to their board is the ability to tell a story.
At the heart of that story is a narrative about where the organization stands, both through its own initiatives and in relation to those of peer companies. At the end of that story, you, the CISO, want the board to come to the same conclusion you have about what the next steps are.
Those who make the right presentation cement their status and walk away with what they came for - a favorable response for additional resources, buy-in on strategy, or more latitude in securing the organization. Those who don’t? They probably won’t get a good night’s sleep for a few weeks. Here are a few simple rules for building your story and winning over the board.
Know your audience
Good storytellers tailor their language to the audience.
Unless you work for a very large tech company, it’s likely your board of directors won’t know much about cybersecurity. A presentation laden with technical minutiae will lead to glazed eyes, a lack of engagement, and a sense among the board that you aren’t strategic. Painting a rosy picture of the organization without much detail raises credibility concerns and creates more opportunity for your audience to say no or make no decision at all.
The people who sit on a board of directors speak the language of finance and risk. Speak to the risk of something occurring versus the impact that it will have. Then discuss the opportunity cost of potential solutions in the context of limited financial resources. If you spend money on one thing, you can’t spend it on another. Should you prepare for relatively frequent occurrences that have moderate impacts, or one-in-a-million risks that pose critical threats to the business?
At the board level, the language of risk wins out over the language of list because it presents a much fuller picture of the organization, one that drives a board toward decisions and action.
Gather your facts
The story you will tell isn’t fiction. You’ll need facts to back it up. The way you gather your facts matters.
At many organizations, a CISO is going to walk into a board meeting with a tidy spreadsheet that lists all of the vulnerabilities and weaknesses they’ve remediated. Then they’ll discuss the risks the organization faced -- the vulnerabilities that haven’t been addressed and the laundry list of everything that could possibly go wrong. The tale is one of fear and uncertainty, designed to deflect blame in the event of a major breach.
This isn’t storytelling because there’s a huge hole in the plot. Hanging over the entire presentation is a question the CISO can only barely answer: If the remaining issues are that risky, why weren’t they resolved?
The board will never know whether the issues that have been addressed represent the biggest risks, or the easiest fixes. The CISO, meanwhile, can’t safely assure that the organization is any safer.
Plenty of organizations still report their vulnerabilities according to the number of vulnerabilities remediated. But there’s been a tidal change in the industry toward quantitative analysis of risk. It will be far easier to tell your story if you can speak the complicated language of risk, resources, and tradeoffs.
Questions are a sign that your audience is engaged with the material. One of the primary questions you’ll get when going before the board is “What are other companies, similar to us, doing?”
In cybersecurity, it can be a tough question to answer. The industry is, in many ways, still in its infancy, and the depth of the publicly available data and benchmarks can be lacking.
Answer this question in a few ways. First, look to industry associations for benchmarks. What are companies within your industry seeing in terms of both threats and common areas of risk? Is there shared data that can be used to learn more about risks your organization faces due to its industry. It’s important to look for benchmarks according to both size and industry because a large organization is going to face different risks than smaller ones, while some industries may tolerate more risk than others. Look to the industry-specific Information Sharing and Analysis Centers (ISACs) as an example here.
You may also rely on measures such as the Factor Analysis of Information Risk (FAIR), which is a widely-used method for quantifying overall information risk. Standards such as FAIR allow you to measure risk in a consistent manner while speaking the same language as your board.
Lastly, talk to other CISOs, even those of competitors. Benchmarks and FAIR analyses are useful, but it’s also important to know what competitors are actually doing. Are they undertaking new initiatives? Hiring more people? Using new tools?
Some of this information might be held back for proprietary reasons, but competitors have strong incentives to cooperate in fields like security and anti-fraud. A breach at one company can elicit more frequent attacks on peers or turn consumers against an entire industry.
A story that needs telling
It’s no surprise that CISOs are drawing the interest of top brass. You don’t have to suffer through the anxiety next time you’re called before the board. Done right, board presentations are an opportunity to advance the organization’s overall security.
But it’s important that you start with a good story.