Getting buy-in: Tips on presenting cybersecurity to the boardroom

Image courtesy: Brett Sayles
Courtesy: Brett Sayles

As industrial cybersecurity and critical infrastructure breaches mount, senior information security officers (SISOs), information technology (IT) directors, heads of engineering and others who lead cybersecurity initiatives are increasingly required to explain their cyber risks and solutions to their boards. This could present challenges for company cybersecurity officials not used to the dynamics of boardroom discussions. Writing in CSO Magazine, Mary K. Pratt provides some guidance for anyone who must present cybersecurity initiatives to their board of directors or senior management, based on interviews with several CISOs experienced in doing so. Here is a summary:

Prepare for the boardroom

One CISO Pratt interviewed, when presenting to a board for the first time, would ask his CFO to introduce him to a board member who might help him prepare. He also suggested talking to peers who had presented to that board before to learn more about the members and the kind of questions they might ask.

Another of Pratt’s CISO subjects used a similar strategy, cultivating a relationship with a board member who had a technical background and could help him prepare by reviewing materials. That technical member then became his champion for the security strategies he presented.

In another variation of this preparation strategy, one CISO worked closely with his CEO, sharing his entire presentation in advance and rehearsing responses to anticipated questions. This not only helped him prepare but also ensured that nothing at the meeting came as a surprise to the CEO.

Talk business value, not tech

Not every boardroom has a technically savvy member who can translate cybersecurity language, so it is important to present in the language of business.

“Board members want to know the enterprise risk, the business impact of that risk, to what extent their investments have turned into controls and whether it yielded a meaningful reduction in risk,” said one of Pratt’s subjects. “I show how my programs impact teams that make money; it’s showing how we’re helping them do what they do.”

To illustrate his point, he shared an experience with a company at which malware was taking some 50 machines offline each month. He invested in technologies that reduced that monthly average, and when he presented to the board, he didn’t focus on the cost of the new technologies but instead on the value of the uptime and the overall risk reduction. Of course, hard data like that can be difficult to obtain for operational technology (OT) initiatives, in which case presenting research data such as the following results from a recent Ponemon Institute study might be useful:

“An average of 316 days is spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382. This equals the average total cost of $2,989,550.”

Speak truth to the boardroom

Other advice in the article involved not candy-coating a bad situation on one hand or telling the boardroom that the sky is falling on the other. They recommended against answering questions like “Are we 100 percent safe?” in the affirmative and against giving unfounded assurances. But they also warned against overdramatizing the risk, suggesting focusing only on the data the board will need to make informed decisions about which investments will mitigate the most risk. One interviewee also warned against keeping board members in suspense while building a case.

“If there’s something the board needs to take action on — for example, they need to consider buying cybersecurity insurance or figure out a policy on whether to pay ransom if there’s a ransomware attack — identify that and identify that right up front,” he said.

Go for it

Pratt concludes that the chance to present to the board should be seen as an “opportunity to evangelize on the importance of a strong cybersecurity program as well as to educate on the strengths, gaps and strategies of the organization’s cybersecurity function.”

Bedrock Automation is a CFE Media content partner.




Keep your finger on the pulse of top industry news