— Free Report
How to Talk to the Board
By Bruce Bonsall, IANS Faculty
Communicating risk to the board is more of an art than a science. Board members require concise, accurate information with which to make weighty decisions. They are busy people who need to cut right to the heart of important matters. Thoughtful planning and the careful crafting of one’s message are prerequisites to asking for the board’s time. Whether your time in front of them is to educate the board or provide a status update on security, to ask for funding or explain the implications of a privacy breach, information must be delivered with exacting precision. It must be accurate, straight to the point and respectful of their time.
Today’s boards recognize the value of information and unless they’ve been living in a monastery in Tibet for the last decade, they know that organizations everywhere are under cyber-attack. When you go before the board with solutions to important information security issues, they should be very interested.
In this report, IANS helps security professionals avoid common pitfalls and ensure they communicate clearly, effectively and in terms the board understands.
Do Your Homework
When preparing to deliver information to the board of directors, it’s essential to have a fundamental understanding of what boards do. A board member’s central purpose is to ensure the organization’s resources are used to achieve its purposes. Under the corporate law of most states, directors must discharge two primary fiduciary duties:
- The duty of care requires directors to make business decisions based on all available information and act in an informed manner. If board members find the information they receive insufficient, they are expected to ask questions.
- The duty of loyalty dictates that when acting on behalf of an organization, board members must set aside their own interests and put the organization first.
For all publicly traded companies in the U.S., the Sarbanes-Oxley Act of 2002 requires that an audit committee be appointed. The board’s audit committee is a logical group to direct appeals for information security program support and it is often a ready-made ally. This is because the three critical functions of the audit committee are to:
- Oversee regulatory compliance
- Monitor internal control processes
- Discuss risk management policies
Odds are, the shortest path to winning support for a security strategy will be through enlisting support of audit committee members.
Know Your Audience
In addition to understanding the basic role of the board, it’s useful to dive deeper and learn a bit about each member. Learning about the background of each person on the board allows you to custom-tailor the message specifically to the individual.
It is extremely likely that you can readily find the information you need about members of your organization’s board on the Internet or in annual reports and press releases. Perhaps even better, the person who is sponsoring your attendance at the board meeting should be able to provide you with insight into the mindset of board members. Find out what the current attitude of the board is on information risk. Don’t go into the lion’s den unprepared.
When the subject of information risk is on the board’s agenda, board members are interested in learning about it. Keep in mind that that they are not interested in excessive detail, petty issues or anything that sounds like you haven’t thought the issues through or that you and your colleagues are not in sync.
It is safe to assume board members are intelligent, successful, reasonable people interested in well-developed plans that will help the organization achieve its strategic goals. Your emphasis should be on the well-developed plan. This is an excellent opportunity to get support from the highest levels, so don’t waste it by going in with half-baked ideas.
To summarize, board members are required to become informed and act in the best interest of the organization. Knowing this, your goal is to provide them with the information that will lead them to your desired conclusions.
A strategy is a larger, overarching plan that can comprise several tactics. Tactics are smaller, focused, less impactful plans that are part of the broader plan.
For example, an overarching strategy may be to improve risk management by reducing the overall attack surface. The tactics underlying that strategy then could include:
- Detect all ingress and egress points and reduce their number.
- Create a separate network for the payment card data environment.
- Patch all known vulnerabilities within 30 days.
- Find and purge all unnecessary copies of sensitive data files.
Map to Organizational Strategies
The board is strategic in nature and will value a plan of action that will achieve a major aim of the organization. Be aware of the current organizational mission and overall business strategy and make sure your plan maps to that. For example, many organizations are considering taking advantage of cloud services for specific business benefits. It’s better to map your strategy to support that mission, rather than prohibiting migration to the cloud due to perceived risks. If your time in front of the board is for delivering a status report, be sure it informs the board about some significant aspect of the organizational strategy.
As the CISO, the board is going to assume you know information risk and technology. Members expect CISOs to work with them at the strategic level. CISOs must speak the language of the business, not the technical jargon of IT security. CISOs tend to provide far too much technical information unrelated to business decisions. Relate to the board in terms of business impact. Security projects don’t lend themselves well to return on investment (ROI) or return on equity (ROE) analysis. They are simply a cost of doing business. Talk to the board about the value of the investment and the benefits the organization will derive from it.
For example, there is a right way and a wrong way to approach funding requests:
- Wrong: We need a new SIEM tool because compliance says we should probably have one and because a lot of our peers have them. Also, we can’t collect and correlate all the millions of log records every day from Cisco, Check Point, Palo Alto, Juniper, Symantec, Trend Micro, McAfee, Guidance, a bunch of security tools and all our applications, including mobile and VPN. We have no clue what’s going on in our network.
- Right: We propose the strategic investment in security information and event management – SIEM technology – to provide much-needed visibility into our organization’s information risk environment. It will provide a clearer big-picture view of the threat landscape, allowing for meaningful trend analysis and making better decisions regarding valuable assets, investments in technology, customer care, regulatory compliance and other important business needs.
Automation is required to manage, correlate and alert on the millions of significant pieces of data in our information systems. A SIEM will increase the value of existing security tools in our environment by weaving together related data. It will protect the business by further ensuring the availability, confidentiality and integrity of the information systems on which the organization depends.
Information risk governance requires strategic direction. It depends on the involvement of senior management in guiding appropriate levels of regulatory compliance, approving policy and setting overall direction. It requires commitment, resources and assignment of responsibility for information security management, as well as a means for the board to determine that its intent has been met. Keeping the board adequately informed requires relevant monitoring, trend analysis and reporting on agreed-upon metrics that represent relative risk levels and associated mitigation efforts.
The monitoring and measuring of information security issues and solutions is part of gaining command of the facts. The facts enable informed decision-making from the operational to executive levels all the way up to the board of directors.
As noted above, the board’s focus is strategic. In addition to their long-range perspective, members of the board typically have a broad, holistic view of the organization. They may be focused on specific issues at times, but generally speaking, their duty of care is for the overall well-being of the organization.
With that in mind, information risk updates and proposals for security enhancements should be framed within a comprehensive information risk management program. Your presentation to the board may be targeted on a specific issue they requested but you must be clear on how that fits into the organization’s entire information risk profile. You want to be prepared with a good answer if a board member asks, “How does this proposal fit in or address other risks we face?”
Plan and Hone Your Message
Whatever your topic is, you’ll be in front of the board of directors for just a few brief moments. You need to use this time with the skill of an entrepreneur who has just a few moments to make a positive impression when asking for funding (i.e., an elevator pitch). Your message must be crisp, your key points defensible and supported with facts.
You should ask yourself: What do I want to achieve or come away with? What am I trying to say? The substance of the presentation should flow from that. Tell them right up front why you’re there. Then, lay down the brief facts, and reiterate at the end what the goal is. Expect questions. In fact, hope for them and plan for them. Put yourself in the shoes of the board and work through the likely questions. Be prepared with the appropriate answers to all those questions, but don’t launch into a diatribe of all possible questions and answers. Be concise, but also be prepared.
Believe in Your Message
Board members and other senior executives will detect any lack of commitment in your delivery and perceive it as your personal lack of confidence in what you are pitching. If you display doubt, you will invite further questioning.
Plan to be questioned and think through the answers. Once you’re able to answer the questions behind the questions, refine your message to answer them upfront. If you're making a presentation intended to persuade the group to do something, the most important tool you have is evidence. Convince your audience with a preponderance of facts and they will have no choice but to go along with you:
- Example message: We need funding for endpoint protection.
- Likely questions: What are endpoints? Protection from what? How many endpoints? What’s the value of the endpoints? What’s typically on those endpoints? What’s the value of that? What’s the risk? Are there any regulatory compliance concerns or potential fines for non-compliance?
Think through the facts that support your key points and core message. You should be able to answer most of the potential questions using your key points. Link your answers to your key supporting points and ultimately your core message.
Practice delivering your message to build confidence in your content. Start with colleagues who understand the topic and can help you refine the content. Then, pitch it to a non-security-savvy person who can give you a sense for how clear the message is to a layperson.
Keep Materials Clean and Simple
If building clear, concise materials or handouts is not your forte, get some help. You want only those visuals that support the message so as not to confuse your audience and distract them from the main points. Visual aids must be clear, easy-to-read and compelling. Remember who your audience is. Cartoon drawings are not suitable for the board, unless they are relatively sophisticated and make very useful points.
Admit When You Don’t Know the Answer
When delivering messages or trying to convince people to accept your ideas, you must be believable. You are much better off admitting you don’t know something than attempting to fake your way through.
Although it is far preferable to be prepared to answer all questions that may arise, nobody can be expected to know everything. When confronted with a question to which you have no ready answer, admit that you don’t know and offer to track down an answer as soon as possible. In the eyes of the board, the cost to your credibility is far too high should you seem anything less than accurate and believable.
ISACA Audit Guidance
Due to the great importance of information systems protection, the Information Systems Audit and Control Association (ISACA) published Guidance for Boards of Directors and Executive Management. Your own internal auditors should be aware of these recommendations and assist in compelling executive leadership and the board to incorporate them into the organization’s governance.
The ISACA guidelines include the following:
- Become informed about information security.
- Set direction, i.e., drive policy and strategy and define a global risk profile.
- Provide resources to information security efforts.
- Assign responsibilities to management.
- Set priorities.
- Support change.
- Define cultural values related to risk awareness.
- Obtain assurance from internal or external auditors.
- Insist that management makes security investments and security improvements measurable, and monitors and reports on program effectiveness.
This point regarding monitoring and reporting on program effectiveness is extremely important. A security program must be one of continuous improvement.
Avoid ‘One and Done’
Periodic high-level updates of comprehensive risk assessments and business impact analyses can keep board members properly informed. Board members need to be aware of the organization’s information assets and their relative importance to business operations. Business continuity and disaster recovery readiness assessments often serve as useful input to information asset valuation exercises. A result of these activities should include board members’ validation of what the key assets are that must be protected and provide confirmation of appropriate protection levels.
As the risk landscape evolves, board members should be briefed on the changes and provided with enough information to make appropriate decisions. By getting in front of the board periodically through quarterly or at least annual security updates, it is possible to keep security on their agenda and continue to garner their much-needed support.
In most cases, any access to the board will be facilitated (or not) by someone in senior leadership, such as the CEO, CFO, CIO, general auditor or general counsel. Some of those leaders may want to remain a wall, or at least a filter, between you and the board. Going directly to a board member, ideally one on the audit committee would be a bold move with which company leadership might not be comfortable. Only by making persuasive requests, and often through connected sponsors, will you get a seat, albeit temporary, at the directors’ table.
Always remember that with visibility comes exposure. When the spotlight shines on you, the security message must be crisp, accurate and in terms the board understands.
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.