Demystifying the Board PresentationHow to Communicate Security Strategy, Needs
I believe I speak for most security professionals when I say that presenting to an enterprise's board of directors can be one of the most nerve-wracking job requirements of being an executive working in this field. Hardening systems after a reported data breach? Got it. Preventatively maintaining technology through regular updates? Absolutely. Translating complex security infrastructure woes to a room full of executives that have no idea what you're talking about in order to ask for additional budget? Wait a minute ...
Typically, there are two reasons why a CISO or CSO would need to present at a board meeting:
- To solve a problem that has occurred, such as a data breach;
- To request more money to update the infrastructure because of a changed risk profile or another broader issue.
Making an appearance twice a year just to ask for additional budget will not cut it.
I would have to say the latter is by far the most difficult scenario.
The first thing we need to realize about a board-level audience is that showing return on investment is key. This means we need to make sure that the importance of security is top-of-mind for the board members. Making an appearance twice a year just to ask for additional budget will not cut it. The CISO needs to make sure the board members know that he or she is a true enabler of the business. With today's increased threat landscape, consider doing a monthly update on the company's overall security posture or providing a summary of the most serious real-time threats you're detecting and, most importantly, the implications of those threats. This constant interaction will put you and the security team in a different light, as a partner working toward the same goal as those who sit on the board: doing everything you can to advance the business while protecting it.
When it's time for the presentation, especially around IT modernization efforts, forget the "sky is falling" tactic. That won't work. Remembering that the board's language is the bottom line, a good opener might be: "Let me tell you how I'm going to save this company a boatload of money." That statement is sure to get their attention! From there, it will be critical to outline succinctly how your proposal will make the company more efficient - not simply detailing the improved products, but how this important upgrade will help maintain or improve the company's reputation, and if public, how this efficiency will increase shareholder value.
Another key tactic to remember when presenting to the board is leaving the technical language at the door. These are business-savvy individuals you're presenting to; therefore, the security "geek speak" will sound like a foreign language to them. While terms such as SQL injection and cross-site scripting are common in the CISO's everyday vernacular, there is a good chance you will lose your audience if you bring them into the boardroom: "Architecture" has a totally different meaning to them. Instead, try to break down the issue into parallels they will understand or use analogies.
For example, you can talk about the security program as if you're building a house. Not only do you have a full blueprint for the build, but it is critical that you follow the county's construction requirements to stay in compliance. Are the requirements you've been following up-to-date? If you put in less sound electrical wiring now to save a few dollars, what will the long term implications be? Should you go with the single or double-paned windows when trying to conserve energy?
At the end of the day, presenting to a board takes practice. If you remember who your audience is, break down complex topics into digestible sound bites and always bring it back to the ROI, you're headed for a home run. In essence, put yourself in their shoes. There is limited budget - so be sure to emphasize why security important to the overall business and also:
- Be visual when presenting. Numbers will not leave a lasting impression;
- How many attacks did you defend against? What are the attack trends? What are the attacks going after?
- Stage presentations into two categories: 1) Budget. We need an "investment" in security that shows a good ROI. Never say I need "money". 2) 5-10 minutes on the security status. Again - be visual!
- Point being - don't let the only time they see you be when you need an "investment."
- Simplify and equate what the company risk profile looks like. Don't let them get the idea that their investment will make the company 100% safe. The investment will reduce the security risk from X% to Z%.
Hord Tipton is the executive director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.