Discussing Cybersecurity with the Board

Oftentimes when a CISO or another cybersecurity exec walks into the board room, the board members are bracing themselves for an ever-bigger budget request. And that is how many cybersecurity professionals approach their time with the board: As an opportunity to plead for more funds. The board members, meanwhile, are left wondering why the millions they already approved for firewalls, email gateways and anti-malware software weren’t sufficient.

There are those cybersecurity executive who take the opposite approach. For them, their precious time with the board “is not about getting more money,” says Josh Douglas, vice president of threat intelligence at Mimecast. “It’s about communicating how they can actually save the company money by illustrating how they’re making the company more secure.”

It’s a magic trick that transforms a board presentation from yet another request for funding into a discussion about the organization’s cybersecurity status and the best strategies going forward.

Changing the Threat Intelligence Conversation

Winning the support of the board is critical to effectively addressing cyber risk, yet communicating the value of cybersecurity remains a challenge for many cyber professionals. This make it difficult for them to secure the requisite investment in tools and manpower to keep up with the ever-evolving threat landscape. “If you don’t articulate the value properly,” says Mark Toshack, Principal Product Manager at Mimecast, “you will never get resources to combat the danger.”

Cybersecurity experts may want to wow the board with assurances that the company is protected against attacks. But with threats mounting on nearly a daily basis, this may be making a promise they can’t keep. A better approach, says Douglas, is to identify the things you are able to control.

That begins by assuring the board that the IT and cybersecurity organization is making the best possible use of its resources, rather than asking for yet more tools or investment.

If, in fact, there are holes in the company’s defenses, , one effective way to bring that to the board’s attention is to highlight an area of cost savings and explain how those funds can be reallocated to close some of the gaps without additional funding. “That creates a much different discussion with the board, rather than going in there and telling them we’re missing this piece and that piece,” Douglas says. “It’s a whole different story.”

A New Way to Measure and Report on Cyber Risk

Another mistake cybersecurity executives make when communicating with the board has to do with the type of metrics that they use. Quantifying the company’s cybersecurity posture by how many products are in place or how many threats the firewall has intercepted in the last month, is counterproductive, since this kind of  information fails to convey the true state of the business’  defenses. The board, on the other hand wants to know how prepared the cybersecurity team is to disarm any attacks. “They want to know that, no matter what an adversary throws at us, we’re ready,” says Douglas. “That means moving from largely quantitative metrics to some more qualitative ones.”

Such measures may include assessing how aware employees are of cybersecurity risk and the steps they need to take to mitigate it, the company’s risk profile compared to other members of its industry and progress to date on closing vulnerability gaps. To present this information, one effective tool is a dashboard that can visually compare and contrasts these measures over time.

Making use of a dashboard like this can give cybersecurity executives a leg up in the board room. They can measure, track, and ultimately report to the board on the organization’s efforts to manage its biggest cybersecurity risk factors, including human error and exploitation of the company’s brand. Such a dashboard provides a snapshot of how the organization is progressing with cyber awareness training and brand protection efforts—highlighting where ground has been gained and where more work may be needed.

Explains Toshack, “That changes the conversation from a defensive one, where the cybersecurity leader is under pressure to explain things, into one in which he or she is in a position to show how the organization’s investments have improved its security posture and what its plans are for improving in the future.”

Adds Douglas, this is precisely what the board wants to know: how the company is doing, how it compares to everyone else and what steps are being taken to shore up any weak spots. “If you can answer those questions,” he says, “the board will have confidence that you’re doing a good job.”

The Bottom Line

CISOs and other cybersecurity execs err when they view their time with their board as an opportunity to solicit more funds. A much more effective approach is to describe the company’s key vulnerabilities, the steps that have been taken to shore up those risks and any weak points or shortcomings that still need addressing.