Two Ways to Present your Security Program to the Board
As the number of reported cybersecurity-related incidents grows in frequency, regulators from different industries have been focusing on the role and responsibilities of the Board of Directors. According to a paper published by the Institute of Internal Auditors Research Foundation, “Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.” (“What the Board of Directors Need to Ask”, 2014.)
As a result, the Board of Directors has entrusted Chief Information Security Officers (CISOs) to develop, implement and maintain strong information security programs that include preventive, detective and corrective security controls that are reasonable and appropriate, as well as commensurate with the risk.
CISOs have a huge challenge presenting to the Board, mainly, due to the fact that most of Board members are not technical. The first thing a CISO needs to remember is that the vast majority of Board members do not have an in-depth understanding of information security issues. In fact, for many years they have seen cybersecurity as a “technology”-related issue; therefore it is for the IT department to address. When it comes to presenting to the Board, security generally receives only a short time window, if any at all. In many organizations, security presentations are rolled up as part of the IT agenda, which is often delivered by a Senior Executive (i.e., the CIO, CRO, COO, etc.).
The following are two ways that will help you present and “sell” your security program to the Board:
- Talk in terms that Board members can understand and relate to
When presenting to the Board, it is important to remember some simple rules: Be clear, be transparent and go straight to the point. You should be able to convey the message in terms of business importance. An example can be found in outlining the importance of regulatory compliance and consequences for noncompliance. For instance, noncompliance may result in informal and formal regulatory enforcement actions. Your responsibility is to ensure all aspects of information security and regulatory compliance; therefore, establishing trust and credibility with the Board can go a long way. Remember, leave all the technical details out, but offer a follow-up meeting in case someone wants more information.
- Take every opportunity to outline the enhancements to the security program
Directors understand risk, legal and liability issues. You should keep in mind that the Board is used to seeing that during security gaps discussions, and they are often linked to requests for additional investment. You should take every opportunity to outline enhancements to the security program, accomplishments, cost savings initiatives, number of prevented security incidents, etc. Finally, the most important thing is to ensure the Board has confidence in the management team.
According to sklatch.net “There is an important difference between informing an audience (giving them facts that you believe they should know) and communicating with an audience (successfully sharing your understanding and perspective).” This is an important lesson that may help you deliver effective communications and get the attention of the Board.