Security: Three Tips When Speaking to the Board of Directors

Friday, December 16, 2011

Jason Clark


Prepping for 2012: 3 Tips When Speaking to the Board of Directors

As the Websense CSO, I often get a chance to discuss key security issues with other CSOs and CISOs worldwide.

I was recently in St. Louis speaking with a group of CISOs about how they are preparing for 2012.

Right now, many companies are meeting to discuss how to allocate budget and resources for the new year. Often it also means discussing what went well and what didn’t.

The resounding theme in my discussion with other CISOs was that the board of directors, for the first time, is really interested in making sure their company is secure.

Many CISOs are getting questions specifically about whether they are protected from targeted attacks, malware, and data breaches. And many of these questions are coming from people who don’t really know what terms like “targeted attack” or “malware” actually mean.

This trend tracks to our recent Security Pros & ‘Cons’ research. We found that 91% of IT security managers report that new levels of management have engaged in data security conversations in the last year.

So, how should you speak to your board of directors about threats and security?

1.     Keep it simple.

Avoid industry or technology jargon. If they want more technical details, try explaining it to them as if they were a member of your family. While your board members are very smart, they do not have the technical knowledge you do.

You are the IT security expert and need to communicate in terms they understand. This often means equating security to dollars and cents. Or as I often refer to it, “dollars and sense.”

2.     Use images and numbers.

Your board of directors understands numbers. Set the scene with stats, like at “any given time our employees are only two clicks away from a malicious website.” Tell them you stopped XX attacks, XX pieces of confidential data from being stolen/misused, and implemented XX new programs designed to keep the network safe.

I also encourage you to use images. Work with your marketing team to create a mash-up of your web security tools and a spinning globe of the earth. Show a storm cloud advancing over certain cities where your employees are. It will show your board members where the threat is the highest.

There is no doubt your board will ask: "Are you 100% sure you won’t be hacked?" You can reply that while you can’t stop the rain from falling—the company needs to be prepared for the storm and needs to have the proper tools in place to reduce the damage.

3.     Repeat yourself often and in an interesting way.

You need to repeat your message multiple times for someone to remember it. So before you get into a board meeting, write out one short sentence that captures what you want the board to walk away with. For example, “We are protected from cybercriminals” OR “We need more funding for IT security or we will get breached.”

Repeat this message at least three times throughout the presentation. Don’t do it in succession (because you will sound a bit nuts), but constantly.

Your communication repetition also needs to extend beyond the board room. You need to communicate on a regular basis with management about your successes or needs. The only time they hear from you can’t be when you need funding or once a year. Once a quarter is the bare minimum—and once a month is ideal.

Here’s a great CSO article on the 9 secrets to getting stuff done in a company. Many of my tips are included in here, as well as insight from other top CISOs in the industry. Also, be sure to check out the Websense Security Labs 2012 predictions. There are some interesting insights on coming trends.

Feel free to leave a comment below on your 2012 plans or any tips you have for effectively communicating to management. You can also connect with me here  and we can discuss your 2012 plans.

Cross-posted from Websense

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Management malware Leadership CISO Targeted Attacks Board of Directors
Post Rating I Like this!
Allan Pratt, MBA Excellent post, Jason. I totally agree that examples with images, numbers, stats, etc., help to make the impact necessary for Board members and senior leadership teams to better understand the importance of security prevention.
Dave Johnson This is something that's typically difficult for the more technical among us, as we get caught up in the day to day implementation and operations. Being able to have a higher level conversation with executives is key to receiving the backing that we need to succeed. Thanks for the post!
Jacob Lee I have recently been asked to present to my companies board because of all the news in 2011. I have heard many of my peer CISO's say that they are also being asked to present to the board. Great news for security! I need some extra advice so I appreciate the open linkedin offer to contact you, I will take you up on that.

I saw you present last month at a CISO summit in San Fran. Great talk and nice post, Jason.
Jason Clark Allan and Dave, those that have had to present to the BOD in the past need to continue to help our fellow CISOs with examples and best practices. I'd love to hear about any examples that have worked for you.

Jacob, I'm looking forward to connecting with you to share with you what has worked for me in the past and how you can approach your own upcoming presentation.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.