In today’s uncertain business environment, the board of directors is becoming more security aware. They watch the news and read articles on the latest cyber incidents, and wonder to themselves if their company will be next. Many of them also do on what their competitors are doing to reduce their cyber-security risk.
As the CISO, you will be the organization’s expert for this evolving uncertainty. It will be incumbent upon you to report to your organization’s executive management on issues relating to risk exposure, cybercrime, compliance issues, and newly evolving threats. To do this effectively, you will need to establish an executive-sponsored cybersecurity program. This program will enable you to provide cybersecurity as a service (CaaS) to your organization and its business units. These cyber services, their impact on the organization, and any resultant risk exposure will periodically need to be reported to executive management. It is this process of presenting to the board and executive management that we will cover in the discussion that follows.
As I mentioned in the previous chapter, reporting to management and the board of directors is a unique experience. The way you prepare your reports, how you present your data, and the preparation required to ensure you are effective are skills you must learn as CISO if you expect to grow your cyber-security program and be seen by the company as a business enabler. This leads us to several questions that we will discuss on why CISO’s must know how to create effective security presentations and use them to educate senior management teams.
Are You Board Ready?
To begin, let’s assume you have a mature security program in place and you are collecting metrics that you will use to measure the maturity and growth of its value to the organization. To analyze this data and use it to implement change, you have created dashboards to display this information to support your organization’s business units. Now as CISO, you are excited about the trends you are seeing in the information you have collected and you communicate this news to upper management. Then one afternoon you get “the email,” that’s right the email that comes from your organization’s executive assistant for the board of directors. The board is requesting that you present to them the information you have on your cyber-security program and the current risks the organization faces. At first, if you have never done an executive presentation, you may be apprehensive. However, recognize that this is an incredible opportunity.
You, as the CISO, have the chance to educate the board and executive management on how cyber-security is providing value to the organization. So let’s discuss how you can approach this opportunity with the following questions, “What are recommended practices for reporting cyber-security requirements to the board? How should the information be presented? What important aspects of cyber-security and risk should the CISO ensure are conveyed to the board?”
Boards of directors are tasked with protecting their organizations from significant risk. Their duties generally fall within six areas (Leech, 2015):
To corporate boards, cybersecurity risk is as significant to the business as risks posed by strategic, operational, financial or compliance operations. For the board, providing effective oversight of cyber-security risk means the difference between learning about cyber-security after a breach with significant damages and having a mature cyber-security program in place that can mitigate the damages of a breach with minimal exposure to the company. In today’s fast-moving business environment, boards can’t claim lack of awareness as a defense against allegations of improper oversight. Boards of directors and executive management must educate themselves about cyber-security and its risk exposure to their organizations. This knowledge is crucial; it enables board members to make strategic decisions with the full knowledge of how cyber risk impacts their business plans. So with this strategic view in mind, let’s discuss how the CISO, the security program, and security teams can assist the board with its mission of providing proper strategic oversight.
At the executive management level, the CEO is ultimately responsible to the board of directors for the business’ cyber-security risk strategy. However, the CEO will typically look to an executive, (CIO, CTO, CRO, etc.) who has governance responsibilities over information technology or risk management to execute this strategy. This executive will be expected to interface with the board and be held accountable to the CEO for this strategy’s implementation and overall management.
As I mentioned in Chapter 1, it’s my opinion that the CISO should report to another C-level executive who understands the importance of the CISO position and how cyber-security can be used as a valuable asset to support the organization’s strategic objectives. This senior executive is critical to the CISO. Business tends to try to decentralize itself in order to be nimble and competitive while cyber-security programs tend to try to centralize the business in order to be more effective in managing risk. It’s obvious that these conflicting views will be in a constant state of opposition unless there is a senior executive to provide context and mentorship to the CISO. It’s this partnership between a senior executive and CISO that enables the CISO to see cyber-security and risk from a more strategic viewpoint and understand its impact on the business.
So back to our quandary. You have been informed that your presence is requested to report to the board of directors on the state of your cyber-security program and the company’s current level of exposure to cyber-security risk. This is where the senior executive you report to is critical. He/she will be able to assist you in articulating the value of cyber-security in business terms and demonstrating how the program provides clear business value.
Ideas for painting this picture on business value
- Approach this opportunity as is presenting a financial report on a budget.
- Provide a balanced cost-benefit analysis on cybersecurity projects based on expected results.
- Describe a reduction in risk based on the use of specific cybersecurity controls or work processes (it is good to have metrics here to back up this picture).?
- Demonstrate some quantifiable financial returns.
- Increase in a specific cyber metrics allows a more specific service or reduces risk to a critical service.
- A mature cybersecurity risk management program increases productivity or allows for a reduction in cost – automation of controls or processes reduces time requires to touch equipment or rewrite code.
- Discuss how the cybersecurity program enables corporate competitiveness. The company can leverage new technologies to be more competitive, reduce operations costs, and provide superior service to its customers.
Management has the responsibility to develop and implement the cyber-security strategy; however, the board has an obligation to fully understand the company’s risk exposure to cyber-related issues. Boards, due to their positions and breadth of governance, tend to look at issues from a broader macro level of operations while management operates at a more tactical level within their specific departments or divisions. Your job when you present to the board is to tell a story, a story that is concise, simple and connects the organization’s business goals to your cyber-security program’s risk management objectives. As you can see, this is very similar to the process you implemented when you created security metrics for your program and architected dashboard views to manage them. When you address the board, your story needs to have a beginning, middle, and end. It also needs to be interesting and should have a goal:
- Inform and Educate – you wish to tell the board that leveraging a new technology provides opportunities, however, it also provides new risks that must be addressed.
- Influence a Decision – make the case for why a specific action should be taken, for example, the cyber-security program should be moved out of the IT department to address “segregation of duties” issues.
- Change Behavior – show how a current organizational process, behavior, standard, etc. is opening the organization to substantial risk. Demonstrate workable alternatives that will reduce risk exposure with minimal impact to business operations.
Since you are in effect telling a story, it is crucial to know how you want your audience to feel. To ensure that you are constructing the correct message, test it on one or more business executives to get their opinion on the information you present and whether it seems valid. Ask them to review your terminology and provide suggestions. You want to be sure that your story is demonstrating how cyber-security is providing value to the business.
To assist in preparing for your board presentation, ask senior management for a board-level sponsor. This sponsor will be your sounding board as you create your presentation and can help you convey your message and answer the dreaded question, “What do you need from us?” There are multiple strategies to assist you in formulating your narrative. One that I would suggest you start with is to increase your business operations knowledge. You need to review the organization’s strategic plans and annual reports and interview executives within your company. This will give you more insight into the business drivers that are critical to the board. They are also critical to you because you must ensure that your metrics and presentation are aligned to support them. Another strategy I would suggest is to compare/contrast with your peers if possible or use a framework such as NIST CSF or ISO 27001. Risk posture is difficult to measure.
Using a framework to provide visual data on the maturity of a process is a good proxy for risk posture and it provides a picture for board members of the maturity of your program. I would also suggest that as you create your presentation, be sure the data displayed in your slide deck is at a high level. Don’t present slides full of minutiae. You can provide an appendix with the in-depth data for those board members who wish a deep dive, but you don’t want to lead off with a slide deck full of intense data and graphics the board members won’t understand. To make sure your presentation is on the right path, talk to your sponsor and ask to speak to a senior executive who recently presented to the board. Ask to include them as part of your test audience and have them give you feedback on whether the data contained in your slides is digestible.
There are several last points I want to make as you prepare to build your slide deck…
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.