When it comes to implementing a company-wide cybersecurity strategy, security executives such as CISOs, IT Directors or Risk Managers often have their hands tied because they need to get buy-in from the Board of Directors first.
Thankfully, cybersecurity has moved up from the server room to the boardroom in recent years, and more and more board members understand how crucial a strong cybersecurity posture is in today’s digitalized business environment.
As stated by Help Net Security: “Cybersecurity strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization.”
Nonetheless, about 87% of board members and C-level executives are not confident in their organization’s level of cybersecurity.
If you are responsible for implementing security strategies for your organizations, chances are you will need to present your ideas to the BOD in a way that’s clear, relevant and convincing.
Here are 10 best practices to follow when explaining cybersecurity to your board to get the buy-in you need to secure your business.
Disclaimer: This list of practical tips is not exhaustive and is meant to present 10 best practices that we have found to be useful for our customers’ cybersecurity strategy planning.
Regardless of your industry, business size or cybersecurity maturity level, a successful pitch will depend on how well you know your audience. Make sure to familiarize yourself with each of the board members before entering the room. Get to know their background, position and influence in the organization, pain points and approach to security and risk overall. The more you know about the board members, the easier it will be to relate to them and win them over with arguments that will speak to them.
At least, you should know a bit about the Chairman, as well as the chairpersons from the following committees:
Your board members will better understand your presentation if it is explained in simple terms.
Chances are, your BOD will not be very familiar with the latest and greatest security terms, tools and technologies. To make sure you can be understood and get your point across, remember to lose the technical terms and focus on easy-to-understand principles and scenarios. Replace terms like SIEM, DDoS and MITM attacks with universal concepts such as risk management, cyber attacks and security principles.
Bring your presentation to speak to:
Any point that you will want to bring across needs to be supported by a real-life example to help the board members grasp the essence of what you’re saying.
For example, your cybersecurity maturity level could be presented with a simple traffic light scale from green to yellow to red. The impact of certain cyberthreats can be emphasized with recent news articles showing the consequences, for example, the costs of not implementing the proper cybersecurity measures.
If all else fails, bring up some case studies of organizations similar to yours to showcase how cybersecurity strategies have helped secure other organizations against breaches and intrusions.
No matter how convincing your proposal may be, it will be useless if it doesn’t align with the overall business strategy of the organization. Rather than discussing the nitty-gritty of running your security operations, your BOD deals with the high-level strategy of your business and each decision will likely be based on how it will help the organization achieve its overall objectives.
Before you talk to the board, make sure to familiarize yourself with the overall business strategy and goals, and make your arguments in support of these goals.
Remember that your BOD only meets occasionally, and their time is precious. That’s why your presentation should focus only on critical elements and not include information that’s “nice to have” without being essential. By dropping the fluff, your BOD will appreciate your respect for their time and better remember the main points that you want to get across.
There is a simple saying “you cannot boil the ocean”! Companies have limited resources to manage their risk and the Board knows it. One of the most important priorities of the Board of Directors is to ensure that risks to the organizations are properly managed. During your presentation, you should make sure to explain how exactly your cybersecurity strategy will make a lasting impact on your business. Focus on the major strategies that can help improve your cybersecurity posture and strengthen your defenses against threats and intrusions.
By adopting a risk management approach, you will be easier understood.
Before starting your presentation, make sure to explain clearly what your goal is and why you’re presenting to the BOD in the first place.
The board members should have a clear understanding of what you’re trying to achieve.
Gather your facts and figures and come prepared.
Chances are, the BOD will ask specific questions about where the organization currently stands in terms of cybersecurity, how it has evolved over the years, and how they can measure the level of risk exposure.
Make sure to dig up relevant numbers and statistics to bring your point across. For example, your proposed cybersecurity strategy may require 8% more budget but bring measurable ROI because your risk exposure is reduced by 25%. Knowing the numbers will form a key strategy of convincing the board.
Revealing an issue is one thing, proposing a solution is another. Make sure that you don’t just talk about your challenges, but instead bring up concrete cybersecurity solutions that will make your life easier and benefit the organization at the same time. For example, your presentation could conclude with a listing of 5 concrete strategies that you plan to undertake, their budgetary impact, start and end date, impact on the business and projected ROI. While a high-level conversation is a great starting point, concrete solutions are needed to make a lasting change.
If you can get buy-in from the BOD for your proposed cybersecurity strategy, make sure to explain how you are going to report on your projects and, most importantly, how you can demonstrate ROI to the organization. For example, you may decide to conduct a cybersecurity posture assessment to find out where you stand and where you should be headed.
A measurable progression in your cybersecurity maturity level can help win board members over so that they can rest assured that their commitment has paid off.
For a cybersecurity strategy to be effective and effect lasting change, security leaders will need to be smart about getting the buy-in from their board. Keep in mind that your time in front of the BOD is limited, so focus on the most important elements that will resonate with them and align with their priorities and objectives to ensure the long-term success of the business.
If your arguments are clear, relevant and easily understandable, linked to the business operations and strategy, and you can demonstrate ROI of your proposed cybersecurity strategy at the same time, you will have better chances of getting the necessary buy-in for what you are trying to achieve.