Cybersecurity is the main concern of boards of directors.
In fact, 42% of the nearly 500 CEOs surveyed by the National Association of Corporate Directors identified cybersecurity risks as one of the five most serious challenges they face - right after changes in the regulatory climate and the economic downturn, CSO writes.
As a result, security managers are increasingly reaching out to boards of directors to inform them about the risks they face and strategies to mitigate them.
"More and more boards of directors are saying: talk to us, tell us what we need to know," says Gary Haislip, director of information security at Webroot, an Internet security company, and a veteran board member.
However, many board members find that they don't get the information they need from their information security supervisors.
"Board members talk about cyber risks, and risk and audit committees spend a lot of time interviewing information security directors, and they are generally unhappy with this experience," says David Chinn, senior partner at McKinsey & Co., a consulting firm.
Information security managers can take some steps to avoid such negative reviews. Several experienced executives shared their tips for presenting to the company's management.
1. Do more preparatory work
Managers are expected to prepare written reports for distribution to board members several weeks prior to their personal submission to the board. Some people think that the preliminary work is sufficient, but experienced managers and leadership advisers say that information security directors (especially those who have little time before the boards of directors) need to conduct more focused preparatory work or even receive special training.
Before Haislip first appeared before the new board of directors, he asked his CFO to put him in touch with a director who was willing to help him prepare for the presentation. "If I'm going to report to the board of directors and I've never spoken to them before, I don't want to go into the boardroom cold. I do not know what questions they ask. I do not know what they want to know. So I'll talk to my colleagues, ask other executives who report to the board, and get their feedback - who's there, what they're like, what questions they ask - so I know who I'm going to talk to, and how they want the data to be presented," he says.
2. Offer a rating
Haislip says that the preparatory work, as well as his subsequent experience in presenting to the board, taught him something about what directors want to know, which is assessing the state of a company's cybersecurity and how to improve this particular position.
"Tell them where you are now and where you need to be. And every time you come, you share information about new risks and new opportunities for improvement, based on the information provided in the previous [presentation], " he says. - Explain to them, this is where we are, this is where we are immature and where the risks are, and based on the threat profile, this is what we should prioritize and why ... and how we stand up to our competitors."
3. Be transparent
According to experts, assessments should not hide risks for the enterprise, so heads of information technology departments should be straightforward and provide up-to-date information in a simple and accessible form.
"Many organizations have threat analysis departments, and they collect this information for the board of directors, so that board members feel up to date," says Chinn. "Board members want to know corporate risk, the impact of this risk on the business, the extent to which their investments have become controls, and whether this has led to a significant reduction in risk."
He cites as a compelling example of how to offer such information, one organization where the Director of Information Security (CISO) has implemented a self-service application that board members can use to access this information upon request.
4. Anticipate difficult questions
There is no room for surprises in the boardroom. So Rob Clyde, chairman of the Board of Directors of the ISACA IT Management Association, advises CIOs to anticipate the questions they will receive from board members, especially those that are most difficult to answer, such as "How good is our security?" And "Are we safe?"
According to Clyde, CIOs often fail to properly answer such questions and, as a result, give inadequate or confusing answers on the fly.
He advises CIOs to think ahead and develop responses. It also recommends that CIOs use the cybersecurity maturity framework, such as that proposed by the ISACA CMMI Institute, to provide a clear and meaningful answer to these complex questions.
Similarly, he says CIOs shouldn't surprise the board, other executives, and the CEO with their answers to such questions. Clyde says that CIOs should share their answers to expected questions with their CEOs; in fact, CIOs should make sure that their CEOs are informed of any information they submit, so that they don't put their CEOs in awkward situations.
5. Be honest about restrictions
In this regard, experienced managers say that information security directors should be realistic in answering questions about organizational risk and the state of cybersecurity-even if they fear that their answers may make them ineffective. "Some boards of directors will ask: are we 100 percent protected? "you should never answer in the affirmative or give inaccurate assurances," says Clyde.
6. Don't scare the board
Information security directors see the growing volume and sophistication of cyberattacks, so it's not surprising that they are eager to share such information with their boards of directors, explaining what resources they need to counter all these threats.
"You have a few information security executives making lists of all the bad things that are happening and making it look like the sky is falling, "says Haislip," but this [atmosphere of] fear, uncertainty, and doubt doesn't really work for the board, and the information security director may leave one day he's not responsible, but all he's going to do is put a tick on the board if he does it again."
The board of directors definitely wants data, he says, but they want to get that information in a way that allows them to make informed decisions later on about where best to direct their security investments to reduce the greatest risks.
7. Get a champion
James Carder, director of information security at LogRhythm, a security solutions company, established a relationship with a board member who had technical experience and sought him out as a mentor who could help him prepare for board meetings, review materials submitted to the board, and advocate for security. strategies on its behalf.
He advises other information security directors to do the same.
"Enlist the support of managers. This will give you feedback before you submit it to the board, and you will be able to get advice on what words are important and what will resonate with the rest of the participants. A board member who supports you can discuss security issues with managers when you are not around, and make necessary changes, " says Carder.
8. Get to the point
CIOs are used to making presentations at conferences where they get to the point, but this approach doesn't work for boards of directors that focus on time.
"Don't hold back. Get to the point from the beginning. The board wants to know in advance why you're here, " Clyde says. "And if there's something that the board needs to take action on - for example, they need to think about buying cybersecurity insurance, or figure out whether to pay a ransom in the event of a ransomware attack-identify it and determine it right away."
He says that information security directors can provide additional information if time permits, with the understanding that board members can access any necessary information in written materials submitted before the meeting.
9. Skip technical conversations
Carder says he once gave the board too much information about his security work. He knew that he had made this mistake when board members repeatedly had to stop his presentation to ask what terms he was using and what concepts he was describing.
"I assumed they knew a certain terminology in the field of security technologies," he says, " and then I realized that I was overdoing all these details, instead of being concise and reporting risks."
Carder is now more deliberately trying to exclude technical information from its presentation; there are no details about the latest exploits or the latest data loss prevention technologies, or about selected SIEM vendors or intrusion detection products. Instead, it focuses the conversation on high-level security issues and presents information in simple business terms.
10. Imagine the value of your business
Many information security directors can't calculate the return on their investment in business security, but the board of directors wants to know what impact their risks and investments have on the business.
This is what Haislip is aiming for. "I show how my programs affect the teams that make money; it shows how we help them do what they do," he says.
He once worked for a company that had about 50 computers shut down every month due to malware, so he invested in technologies to lower this monthly average. When he appeared before the board of directors, Haislip focused not on the cost of new technologies, but rather on the value that the investment brought to the organization by reducing fix costs and reducing downtime.
"It's such a valuable story to talk about, plus the fact that you're reducing the risk," he says.
11. Define success criteria
According to Chinn, CIOs should consider whether they are adequately communicating information to their boards of directors, knowing that how well they communicate the impact of their security strategies on the business depends on how much support and funding they will receive.
Chinn knows an information security director who measured his success in this area by the way his board members respond to reports of corporate data breaches.
"He says he knows he's doing a good job informing the board when board members ask reasonable questions or don't ask questions at all after news of a breach, because it shows that they trust him as director of information security," Chinn says.
12. Take advantage of the opportunity
Clyde says that information security directors should be present in front of the entire board of directors, noting that many information security managers do not represent interests in front of the full board of directors, but in audit and risk committees. And they should take the initiative to get on the agenda of their councils, if they haven't already.
Moreover, CIOs should see their time in front of boards of directors as an opportunity to preach the importance of a strong cybersecurity program, as well as introduce the strengths, gaps, and strategies of the organization's cybersecurity function. According to Clyde, ISACA recommends that information security directors meet with board members at least once a year.
"It's about building trust," says Haislip. "The board sees that you're doing something, and they know not only that you know your job, but that you know your business, and you adjust your security program to support that."
Author: Mary K. Pratt
In fact, 42% of the nearly 500 CEOs surveyed by the National Association of Corporate Directors identified cybersecurity risks as one of the five most serious challenges they face - right after changes in the regulatory climate and the economic downturn, CSO writes.
As a result, security managers are increasingly reaching out to boards of directors to inform them about the risks they face and strategies to mitigate them.
"More and more boards of directors are saying: talk to us, tell us what we need to know," says Gary Haislip, director of information security at Webroot, an Internet security company, and a veteran board member.
However, many board members find that they don't get the information they need from their information security supervisors.
"Board members talk about cyber risks, and risk and audit committees spend a lot of time interviewing information security directors, and they are generally unhappy with this experience," says David Chinn, senior partner at McKinsey & Co., a consulting firm.
Information security managers can take some steps to avoid such negative reviews. Several experienced executives shared their tips for presenting to the company's management.
1. Do more preparatory work
Managers are expected to prepare written reports for distribution to board members several weeks prior to their personal submission to the board. Some people think that the preliminary work is sufficient, but experienced managers and leadership advisers say that information security directors (especially those who have little time before the boards of directors) need to conduct more focused preparatory work or even receive special training.
Before Haislip first appeared before the new board of directors, he asked his CFO to put him in touch with a director who was willing to help him prepare for the presentation. "If I'm going to report to the board of directors and I've never spoken to them before, I don't want to go into the boardroom cold. I do not know what questions they ask. I do not know what they want to know. So I'll talk to my colleagues, ask other executives who report to the board, and get their feedback - who's there, what they're like, what questions they ask - so I know who I'm going to talk to, and how they want the data to be presented," he says.
2. Offer a rating
Haislip says that the preparatory work, as well as his subsequent experience in presenting to the board, taught him something about what directors want to know, which is assessing the state of a company's cybersecurity and how to improve this particular position.
"Tell them where you are now and where you need to be. And every time you come, you share information about new risks and new opportunities for improvement, based on the information provided in the previous [presentation], " he says. - Explain to them, this is where we are, this is where we are immature and where the risks are, and based on the threat profile, this is what we should prioritize and why ... and how we stand up to our competitors."
3. Be transparent
According to experts, assessments should not hide risks for the enterprise, so heads of information technology departments should be straightforward and provide up-to-date information in a simple and accessible form.
"Many organizations have threat analysis departments, and they collect this information for the board of directors, so that board members feel up to date," says Chinn. "Board members want to know corporate risk, the impact of this risk on the business, the extent to which their investments have become controls, and whether this has led to a significant reduction in risk."
He cites as a compelling example of how to offer such information, one organization where the Director of Information Security (CISO) has implemented a self-service application that board members can use to access this information upon request.
4. Anticipate difficult questions
There is no room for surprises in the boardroom. So Rob Clyde, chairman of the Board of Directors of the ISACA IT Management Association, advises CIOs to anticipate the questions they will receive from board members, especially those that are most difficult to answer, such as "How good is our security?" And "Are we safe?"
According to Clyde, CIOs often fail to properly answer such questions and, as a result, give inadequate or confusing answers on the fly.
He advises CIOs to think ahead and develop responses. It also recommends that CIOs use the cybersecurity maturity framework, such as that proposed by the ISACA CMMI Institute, to provide a clear and meaningful answer to these complex questions.
Similarly, he says CIOs shouldn't surprise the board, other executives, and the CEO with their answers to such questions. Clyde says that CIOs should share their answers to expected questions with their CEOs; in fact, CIOs should make sure that their CEOs are informed of any information they submit, so that they don't put their CEOs in awkward situations.
5. Be honest about restrictions
In this regard, experienced managers say that information security directors should be realistic in answering questions about organizational risk and the state of cybersecurity-even if they fear that their answers may make them ineffective. "Some boards of directors will ask: are we 100 percent protected? "you should never answer in the affirmative or give inaccurate assurances," says Clyde.
6. Don't scare the board
Information security directors see the growing volume and sophistication of cyberattacks, so it's not surprising that they are eager to share such information with their boards of directors, explaining what resources they need to counter all these threats.
"You have a few information security executives making lists of all the bad things that are happening and making it look like the sky is falling, "says Haislip," but this [atmosphere of] fear, uncertainty, and doubt doesn't really work for the board, and the information security director may leave one day he's not responsible, but all he's going to do is put a tick on the board if he does it again."
The board of directors definitely wants data, he says, but they want to get that information in a way that allows them to make informed decisions later on about where best to direct their security investments to reduce the greatest risks.
7. Get a champion
James Carder, director of information security at LogRhythm, a security solutions company, established a relationship with a board member who had technical experience and sought him out as a mentor who could help him prepare for board meetings, review materials submitted to the board, and advocate for security. strategies on its behalf.
He advises other information security directors to do the same.
"Enlist the support of managers. This will give you feedback before you submit it to the board, and you will be able to get advice on what words are important and what will resonate with the rest of the participants. A board member who supports you can discuss security issues with managers when you are not around, and make necessary changes, " says Carder.
8. Get to the point
CIOs are used to making presentations at conferences where they get to the point, but this approach doesn't work for boards of directors that focus on time.
"Don't hold back. Get to the point from the beginning. The board wants to know in advance why you're here, " Clyde says. "And if there's something that the board needs to take action on - for example, they need to think about buying cybersecurity insurance, or figure out whether to pay a ransom in the event of a ransomware attack-identify it and determine it right away."
He says that information security directors can provide additional information if time permits, with the understanding that board members can access any necessary information in written materials submitted before the meeting.
9. Skip technical conversations
Carder says he once gave the board too much information about his security work. He knew that he had made this mistake when board members repeatedly had to stop his presentation to ask what terms he was using and what concepts he was describing.
"I assumed they knew a certain terminology in the field of security technologies," he says, " and then I realized that I was overdoing all these details, instead of being concise and reporting risks."
Carder is now more deliberately trying to exclude technical information from its presentation; there are no details about the latest exploits or the latest data loss prevention technologies, or about selected SIEM vendors or intrusion detection products. Instead, it focuses the conversation on high-level security issues and presents information in simple business terms.
10. Imagine the value of your business
Many information security directors can't calculate the return on their investment in business security, but the board of directors wants to know what impact their risks and investments have on the business.
This is what Haislip is aiming for. "I show how my programs affect the teams that make money; it shows how we help them do what they do," he says.
He once worked for a company that had about 50 computers shut down every month due to malware, so he invested in technologies to lower this monthly average. When he appeared before the board of directors, Haislip focused not on the cost of new technologies, but rather on the value that the investment brought to the organization by reducing fix costs and reducing downtime.
"It's such a valuable story to talk about, plus the fact that you're reducing the risk," he says.
11. Define success criteria
According to Chinn, CIOs should consider whether they are adequately communicating information to their boards of directors, knowing that how well they communicate the impact of their security strategies on the business depends on how much support and funding they will receive.
Chinn knows an information security director who measured his success in this area by the way his board members respond to reports of corporate data breaches.
"He says he knows he's doing a good job informing the board when board members ask reasonable questions or don't ask questions at all after news of a breach, because it shows that they trust him as director of information security," Chinn says.
12. Take advantage of the opportunity
Clyde says that information security directors should be present in front of the entire board of directors, noting that many information security managers do not represent interests in front of the full board of directors, but in audit and risk committees. And they should take the initiative to get on the agenda of their councils, if they haven't already.
Moreover, CIOs should see their time in front of boards of directors as an opportunity to preach the importance of a strong cybersecurity program, as well as introduce the strengths, gaps, and strategies of the organization's cybersecurity function. According to Clyde, ISACA recommends that information security directors meet with board members at least once a year.
"It's about building trust," says Haislip. "The board sees that you're doing something, and they know not only that you know your job, but that you know your business, and you adjust your security program to support that."
Author: Mary K. Pratt
