Security and Business Leadership: How CISOs Should Talk to the Board

In today’s digital world, a technology risk is a business risk. With data breaches and ransomware constantly making headlines and hitting revenue, boardrooms are finally accepting the importance of managing security risks more effectively. However, they still often see CISOs primarily as impediments, notorious for their superpower to slow down and complicate any project for security reasons.

So how can CISOs convey the importance of security to the executive leadership and ingrain security principles into the wider business model?  The answer lies in building strong communication with the board. Specifically, to be seen as business-savvy leaders, CISOs must build discourse around the business challenges that executives are most concerned about. By and large, there are three huge challenges that CISOs should keep in mind when talking to board members:

Business challenge #1: Increase revenue and velocity

Your responsibility as CISO is to defend the organization against cyber threats, while the board’s goal is to make the company grow and keep it away from regulatory and legal troubles. Although it’s not always evident, these missions are interconnected, and you need to articulate how defending against threats actually facilitates business growth. There are several arguments you can use.

First, no organization can grow without customer trust and loyalty, and a healthy security posture is a cornerstone of trust. In light of recent breaches compromising the sensitive data of millions of people, your clients and partners will surely value transparency into how your company uses and secures their sensitive data. By enabling you to do this job well, executives are giving themselves a powerful narrative for earning loyalty from a wide range of stakeholders.

Second, you should explain how you tackle security risks associated with regulatory and legal issues that could hinder the organization’s growth. By detailing exactly how you mitigate those risks, you show the board that you understand the company’s pain points and are able to address them effectively.

Finally, you need to discuss how inability to respond promptly to incidents could damage the company’s revenue and reputation. The Netwrix 2018 IT Risks Report revealed that only 17% of organizations have an actionable incident response plan. This statistic is quite disturbing, since there is no way to have 100% security; there is always the possibility of malicious actions and human errors. Therefore, you should develop a thorough incident response plan and explain to the board whether your organization is prepared to recover from incidents as soon as possible to minimize financial and reputational damage.

Business challenge #2: Build a solid business strategy

A strong business strategy must take into account the risks the organization faces, including the cyber risks. Therefore, you should conduct regular IT risk assessments to know the risks your organization faces and map them to business outcomes. When presenting the results of the assessment to the board, be ready to show a list of current and finished projects, summarize spending, and detail the return on the company’s investments in these projects (customer satisfaction, reduced costs, etc.).

Then you should highlight any risks that have not been properly addressed, identify stakeholders from the board, present their role in addressing them and explain your plan for taking action together. This approach will likely enable you to gain support for your initiatives from the individuals accountable for risk, as well as nurture risk-based thinking among the leadership.

In the long-term, board members will get used to making decisions in the context of the company’s cybersecurity risk exposure, rather than in the context limited by their separate functions, and security will no longer be an afterthought for them. Instead, when they develop a new project or product, they will ask for your expertise to ensure that their initiatives won’t pose unnecessary security risks to the company. This mindset is extremely important for having a healthy and risk-resilient business strategy.

Business challenge #3: Save time and cut costs

Being able to demonstrate how your security initiatives can help the business reduce time and slash costs on certain processes is the best way to show your department’s efficiency. It is especially important when you are asking for more budget. To support your argument, I recommend having a metrics-heavy dialogue.

For instance, suppose you plan to implement a solution for data discovery and classification in order to enhance the security of sensitive information. Explain how this solution will not only help the company avoid costly data breaches, but also refine data management processes and make data easily searchable, so employees will be able to perform certain routine tasks X times faster and the company will not have to hire additional employees.

If you present the value of your current and future projects this way, the chances that you will get the investment will be very high. Moreover, you will demonstrate that you are not a geeky amateur, but a leader who knows how to count money and is eager to help the company optimize its budget spending.

Additional tips

 Also, take into account the following general tips when talking to the board:

  • Take tech terminology out of the conversation. It is better to avoid technical terms and acronyms that non-IT leaders might not understand. Make sure that people do not need a degree in computer science to follow your reasoning and consider your opinion when making decisions.
  • Develop 1:1 relationships. By establishing informal personal relationships with key figures, you will gain credibility and be better positioned to understand their concerns. Later on, you will be able to better tailor your projects to their actual needs.
  • Present security as a business enabler. When you explain the outcomes of your initiatives, make sure to emphasize how they will affect the business. The VP of marketing won’t really care about data discovery and classification per se, but they will be happy to hear that it will help their team purge lost and unengaged leads and focus their efforts on relevant leads.

By focusing on issues that matter to your board and establishing consistent communication with them, you will get executive buy-in for your initiatives. In the future, it will help you extend your influence beyond the server room and enable you to establish a solid security posture and ensure that company operates and grows in a risk-based way.

CEO at Netwrix. Steve was previously with Dell, Inc., where he served as Vice President and General Manager of the Windows Platform Management business, as well as VP of Marketing for the Systems Infrastructure Management Group. In the Netwrix blog, Steve focuses on cybersecurity strategies and business leadership.