Once in a lifetime
What is security’s purpose if not to help with risk management? Organizations run on varying degrees of risk—financial risk, operational risk, market risk, sociopolitical risk, etc.—and information security has become a big piece of the risk picture. More and more, heads of security are being asked to present to the board, yet many CISO’s continue to struggle with conveying how the operational aspects of security impact strategic risks to the business.
Infosec Insider spoke with Angie Singer Keating, CEO of Reclamere, who has a broad background in security and risk management, to learn her recommendations for creating stand-out board presentations. Having worked on both sides of the business, Singer Keating understands what resonates and what falls flat in the boardroom.
How should a CISO approach a board presentation?
The CISO should start with what is being done at his or her organization that is at or above industry or regulatory best practices. Don't be shy. Brag. This is your chance to present a summary of what's been accomplished since your last report. If appropriate, thank those who contributed to these accomplishments through budget, technical, or human resources.
Always begin your presentation with a succinct summary of the report highlights. Use bullet points, charts, or infographics to convey complex information in an easily digestible format. Executives rarely have time to read entire reports immediately. If you are in a position to be writing such reports, be cognizant and respectful of their time constraints.
Where do CISOs or security practitioners falter when it comes to presenting?
Communication and translating security to business terms. Whatever issue you have, state it first in the language of business (i.e., why does a particular risk present an issue to your organization). Don't assume your audience knows, especially if the risk is highly technical in nature.
For example, an identified risk might be the organization’s over-reliance on anti-virus, without any next-generation endpoint protection in place. Speak to the problem of how this antiquated technology is not sufficient for today's sophisticated attacks; explain that security industry standards no longer consider anti-virus an acceptable business practice for securing user computers.
The business risk—and what the board wants to hear—is that cyber liability coverage could be denied; litigation strategy could be compromised; and when an incident occurs, resources will be diverted away from business critical projects and initiatives towards clean up and remediation efforts.
Next, present the solution. Recommend next steps or options, and make sure you talk about the solution in a business context. In our example, the solution could be that implementing next-generation endpoint protection could delay or eliminate the need for an additional full time employee (FTE) on the IT staff, which saves the organization money. It might mean that your staff would be “X” times more efficient at helping users maintain productivity or working on mission objectives because they will spend less time chasing down false alerts, inspecting or monitoring machines constantly, and taking computers off-line to investigate and clean them up after an incident. The business likes to hear about productivity and efficiency, so anything that speaks to these points will be a big win.
The board also speaks the language of “money.” How does this fit into a CISO’s presentation?
Show up armed ready with ballpark budget numbers, timelines, and metrics for success. Security budgets have increased somewhat over the years, but most organizations report that they don’t have what they need to hire new people or implement new technology. If you are in a resource constrained organization (and who isn't?), understand that you might have to be willing to postpone certain purchasing in exchange for another FTE, or vice versa. It might mean you have to consider a phased implementation instead of the all-at-once approach that would be optimal. Every business unit experiences tradeoffs; don’t consider negotiation a slap in the face of security.
All of this can feel like a constant struggle. What’s the best remedy?
Never be defensive or speak over the board’s or executives’ heads with techno jargon. You will be a smart person in a room full of very smart people. You are all on the same team. Still, you may not get what you want or need. Remember that every group in an organization thinks its needs are paramount—sales, marketing, R&D, human resources: everyone. If you don't get what you need, ask again. The first time you ask might not be the right time to ask. If it’s an important issue that impacts the risk posture of the organization and you don't see any results or progress after repeated requests, it might be time to polish that résumé.