6 Tips for CISOs Selling Security to the Board
Some CISOs may dread presenting to the board of directors. These tips will help ensure it goes well.
Enterprise security needs to be a regular concern of boards of directors. It is fairly easy to convince boards of this, thanks to the near-constant flow of high-profile data breaches, from the Target and Home Depot attacks to more recent incidents involving the federal Office of Personnel Management, Ashley Madison and others.
"With all of those events, these days [security] isn't a difficult sell," said Jason Maloney, senior vice president, crisis management and data security at corporate communications firm Levick."Directors have woken up to the threats."
According to the Ponemon Institute's 2015 "Global Megatrends in Security" report, 78 percent of security leaders brief their boards on cybersecurity strategy.
Yet, just because cybersecurity events garner more attention in the board room than they once did, CISOs still need to make effective presentations to get approval for the resources they need to protect the company from current and emerging security threats.
According to the Trustwave 2016 "Security Pressures Report," 40 percent of security professionals feel the most pressure in relation to their security program either directly before or after a company board meeting. That is one percent higher than how they feel after a major data breach hits the headlines.
Additionally, pressure to select security technologies containing all of the latest features has jumped from 67 percent to 74 percent since the previous year’s survey among respondents, but having the proper resources to actually put them to use has fallen from 71 percent to 69 percent.
Do Not Use Cybersecurity Jargon
Members of the board tend to come from business backgrounds, not security backgrounds. So while technical explanations might convey the needed information, they won't "sell" the presentation, several security officials agree.
"Drawing on the headlines for these folks in the board room is a starting point, but your presentation needs to be more than that," said Dan Kaplan, Trustwave's online content manager. "You need to be providing statistics that you share with your company in a digestible way. You might want to show examples of malware or threats the board is facing in an understandable way."
Other security professionals agreed that a data-filled presentation in layman's terms will be the most effective in getting the board to understand and accept the CISO's message.
"Keep it simple. Use analogies. You want to use examples to humanize the information," said Ray Espinoza, vice president and global head of security for Proofpoint.
The most relevant examples will be those involving similar companies in similar industries, Espinoza said.
Provide Relevant Cybersecurity Data
Discussing industry and company peer security and cyberattack data and averages enables the CISO to quickly catch the attention of the board, according to Dale Drew, chief security officer at Level 3 Communications, a provider of managed security solutions.
An industry maturity model review will provide an expert third-party evaluation of the company's security infrastructure and preparedness, Drew added, noting that consulting firms like PwC and Accenture offer these reviews for about $5,000. "These are very clear reports that executives and directors can easily understand."
Use Visual Illustrations
Going beyond a recital of the data to make visual presentations of different points helps as well, Espinoza said. "Know ahead of time what backup data and slides to bring with you."
Even visual presentations need to be kept simple, he said. Graphic information that is too granular or too "busy" will lose the attention of the audience.
Know Your Board of Directors
He further recommends learning the board's background before the presentation. If some have more technical backgrounds than the norm, then the CISO should be prepared to provide more technical detail after starting with the basics.
The presentation should also differ based on the executive structure of the company, said Ryan Kalember, Proofpoint senior vice president for cybersecurity strategy.
Present Realistic Funding Requests
Asking for excessive funding to get the desired funding is a poor strategy, security experts agree. Directors need to balance a company's security concerns and risk with their responsibility of maximizing shareholder value.
"Line out the true cybersecurity risk," recommended Eric Stevens director of strategic security consulting for Forcepoint. "You can secure yourself into oblivion. You have to be a reasonable person in your industry. The best strategy is to take a responsible solution that strategically aligns with the business."
Follow up and Maintain Contact
Was the presentation successful? The best way to determine that, Kaplan said, is if the board provides the resources needed to get the job done.
Maintaining C-suite attention once a CISO believes he or she has made a successful presentation can be an issue as well. The board may promise the resources, but a couple of months later may have not delivered.
In those instances, Espinoza suggested leaning on company officers to put additional pressure on the board. Corporate officers may also be able to help the CISO sharpen the focus and messaging of any follow-up communications with board members.
Similarly, CISOs should regularly communicate with board members, keeping them abreast of the latest security developments, to maintain a sustainable relationship with directors, Proofpoint's Espinoza and Kalember agreed.
Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.
By Jeff Goldman
February 03, 2016
And 37 percent don't have enough highly-skilled staff, a recent survey found.