From CISO to Board: Explaining Cybersecurity

In my previous post, we discussed the intricacies involved when IT security managers communicate cybersecurity initiatives to their organizations’ C-level executives. We also gave some recommendations on how to win C-Suite support for those types of initiatives. Today, we take on the next level by discussing how a CISO or C-level executive should in turn communicate those initiatives to the company’s board of directors.  

Aligning security strategy with business goals 

If you’re a CISO who provides reporting to the board of directors, you need to ensure that before you ever present to the board, you’ve already aligned your security strategy and initiatives with business goals. Once accomplished, you’ll find it much easier to explain (and your board, in turn, will find it much easier to understand)  how a security function or technology enables the business.  

This enablement should be quantified. When you declare the criticality of acquiring a certain security solution, you should be able to translate that into the following terms:  

  • How it will reduce your overall spend by x-percent 
  • How it will reduce risk to the business by x-percent of revenue  
  • How it will increase margin by x-percent

Presenting the importance of IT and security 

Meeting with the board of directors should be devoid of hyperbole and scare tactics. The last thing you’ll want to do is walk in there, recite a list of data breaches and then cap off your presentation with a dramatic, “It’s not a matter of if but when…” Remove the drama and stick to the facts. 

With the plethora of data breaches, malware outbreaks, and other cyber incidents now grabbing their share of the spotlight in the news, it won’t be surprising if most of your board members already have a certain awareness of cybersecurity. But what they’re likely more interested in at this point is, how important is it? How much is it going to cost the organization, or save the organization if you do this, and how much if you don’t?  

If you’re running an enterprise risk management (ERM) program, like most CISOs now do, everything you take up to your board should have a dollar figure associated with it and a clear representation of whether that dollar figure is above or below your organization’s risk appetite.  

CISOs who have a good handle on their ERM also have great understanding of business impact analysis. They understand the ideal spend of IT from a business perspective and can tie that back into their initiatives.

Securing the right security budget  

Let’s say the PCI Council issues a new requirement that compels you to purchase a solution. For example, this year, one of the requirements was to incorporate multi-factor authentication for all non-console access into the CDE (Card Data Environment) by personnel with an admin function.  

Most board members will probably have no idea what that means, nor do they care. The way you present that into a board meeting to request funding should be done in layman’s terms. Your board won’t understand what you want or the criticality of it if you pepper your presentation with a lot of technical jargon.  

Instead, present your initiatives in the following manner, “PCI DSS has changed … This is a new control … Implementing that control would cost an X-amount of $ … If we can’t meet that requirement, this is the dollar-equivalent risk to the business.” (Again, in dollar form.) 

Unfortunately, while some CISOs are CPAs or come from some area related to finance, many CISOs don’t have a business background. They might have difficulty justifying their initiatives in a financial context. The good news, is the supporting data needed to convey this line of explanation can be gleaned from an ERM-style program.  

Another thing you will want to learn is how to calculate the needed percent spend. For example, some businesses operate on a 7% margin, while others operate on a very tight 1% margin. That means, IT spend is going to be a fraction of that 7% or that 1%. If your proposed spend is going to exceed that, the chances of it getting approved won’t be good.  Understand your company’s core business and have a very clear picture on overall IT spend as compared to revenue. 

We like to categorize threat actors into three categories:  

  • C-level (Commodity threats, consisting mostly of script kiddies) 
  • B-level (Targeted threats; organized cyber gangs and most nation-state groups)  
  • A-level (Advanced targeted threats) 

Typically, activities by C-level cybercriminals make up 80% of threats, B-level equates to 19.99%, and A-level is at 0.01%. It’s important to know who your adversaries are because based on the type of threat actor that would most likely attack your environment, the amount of money you will need to spend in solutions and cybersecurity talent can range dramatically.  Focus on the actors likely to target your environment. 

It would be highly inefficient to set up defenses for threats that have practically little to no impact on your business. More importantly, the budget for that will likely exceed your company’s financial capabilities, and be rejected by your board. Knowing the limits of your business, the actual threats you face, and your risk appetite will help you craft a more realistic and appropriate budget request.  

Despite budget – it’s imperative to note the importance of cooperation in building a cybersecurity culture. It’s not just your CISO’s, C-Suite’s, or board of directors’ responsibility. It belongs to everyone in your organization – from your company’s top executives down to all your employees.

Only through understanding business goals, knowing how to present your security solutions and initiatives to executives in the right way, and making reasonable budget requests based on risk can CISOs and C-Suite executives be successful in obtaining board approval. 

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals