This is the fifth in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from Gary Hayslip’s essay for Chapter 5, concluding our opening section on the basics, Gary discusses whether or you are Board ready. Please enjoy.

Are You Board Ready?

First, let’s assume you have a mature security program in place and are collecting metrics that you use to measure its maturity and the growth of its value to the organization. To analyze and use this data to drive change, you have created dashboards to display this information to support your organization’s business units. You are excited about the trends you see in the collected Information, and you communicate this news to upper management. Then one afternoon, you get “the email” from your organization’s executive assistant for the board of directors. The board requests that you present your information on your cybersecurity program and the organization’s current risks. You may be apprehensive at first if you have never done an executive presentation. However, recognize that this is an incredible opportunity.

As the CISO, you can educate the board and executive management on how cybersecurity provides value to the organization. So, let’s discuss how you can approach this opportunity and not lose your job with the following questions: “What are recommended practices for reporting cybersecurity requirements to the board? How should the information be presented? What important aspects of cybersecurity and risk should the CISO convey to the board?”

Boards of directors are tasked with protecting their organizations from significant risk. Their duties generally fall within six areas:

  1. Governance
  2. Strategy
  3. Risk
  4. Talent
  5. Compliance
  6. Culture

To corporate boards, cybersecurity risk is as significant to the business as risks posed by strategic, operational, financial, or compliance operations. For the board, providing effective oversight of cybersecurity risk means the difference between learning about cybersecurity after a breach with significant damages to the company or having a mature cybersecurity program in place that can mitigate the costs of a breach with minimal exposure to the company. In today’s fast-moving business environment, boards can’t claim a lack of awareness as a defense against allegations of improper oversight. Instead, board members and executive management must educate themselves about cybersecurity and its risk exposure to their organizations. This knowledge is crucial; it enables board members to make strategic decisions with a complete understanding of how cyber risk impacts their business plans. With this strategic view in mind, let’s discuss how the CISO, the security program, and the security teams can assist the board with its mission of providing proper strategic oversight.

At the executive management level, the CEO is ultimately responsible to the board of directors for the business’ cybersecurity risk strategy. However, the CEO will typically assign an executive (CIO, CTO, CRO, CISO) with governance responsibilities over information technology or risk management to execute this strategy. The CEO expects this executive to interface with the board and be accountable to the CEO for this strategy’s implementation and overall management.

As I mentioned in Chapter 1, I think the CISO should report to another C-level executive who understands the importance of the CISO position and how cybersecurity can be used as an asset to support the organization’s strategic objectives. This senior executive is vital to the CISO. For example, businesses try to decentralize themselves to be nimble and competitive, while cybersecurity programs try to centralize the company to be more effective in managing risk. These conflicting views will be in a constant state of opposition unless there is a senior executive to provide context and mentorship to the CISO. This partnership between the senior executive and CISO enables the CISO to see cybersecurity and risk from a more strategic viewpoint and understand their impact on the business and how the cybersecurity program must support the business.

So back to our plight. Your presence is requested to report to the board of directors on the state of your cybersecurity program and the company’s current exposure to cybersecurity risk. Your relationship with the senior executive you report to is critical. They will be able to assist you in articulating the value of cybersecurity in business terms and demonstrating how the program provides clear business value.

Ideas for painting this picture on business value:

  • Approach this opportunity as if presenting a financial report on a budget.
  • Provide a balanced cost-benefit analysis on cybersecurity projects based on expected results.
  • Describe risk reduction based on specific cybersecurity controls or work processes (it is good to have selected metrics here to provide context, but be careful not to get too in-depth with numbers unless requested).
  • Demonstrate some quantifiable financial returns.

Show how increasing a specific cyber metric allows a more robust service or reduces risk to a critical business process. Describe how a mature cybersecurity risk management program increases productivity or provides a cost reduction; for example, how the automation of controls or processes reduces the time required to configure equipment or rewrite code.

  • Discuss how the cybersecurity program enables corporate competitiveness. A mature program allows the company to leverage new technologies to be more competitive, reduce operating costs, and provide superior customer service. Describe how your security program enhances revenue by reducing risk to business operations.

Management is responsible for developing and implementing the cybersecurity strategy; however, the board must fully understand the company’s risk exposure to cyber-related issues. Due to their positions and breadth of governance, boards tend to look at problems from a broader macro level. At the same time, management operates at a more tactical level within their specific departments or divisions. When you present to the board, you tell a story. This story should be concise and straightforward and connect the organization’s business goals to your cybersecurity program’s risk management objectives. As you can see, this is very similar to the process you followed when you created security metrics for your program and architected dashboard views to manage them. Your story must have a beginning, middle, and end when you address the board. It also needs to be interesting and should have a goal:

  • Inform and Educate – you wish to tell the board that leveraging new technology provides opportunities. However, it also offers unknown risks to address.
  • Influence a Decision – make a case for why to take a specific action. For example, we should move the cybersecurity program out of the IT department to address “segregation of duties” issues due to a particular regulatory requirement or move it into the IT department to leverage economies of scale.
  • Change Behavior – show how a current organizational process, behavior, or standard opens the organization up to substantial risk. Demonstrate workable alternatives that reduce risk exposure with minimal impact on business operations.

To tell a story effectively, knowing how you want your audience to feel is crucial. To ensure you construct the correct message, test it on one or more business executives to get their opinion on the information you present and whether it seems clear and valid. Ask them to review your terminology and provide suggestions. You want to be sure that your story demonstrates how cybersecurity offers value to the business.