How to Talk to the Board of Directors

Some of today's CSOs never stand before their boards of directors. But, hey, that could change after your next external audit. And while addressing the board may not quite be like arguing a case before the Supreme Court, you'll still want to make the most of your access. So hearken to David Burrill, head of group security at British American Tobacco (BAT). Burrill has been reporting to the BAT board since he joined the company in 1992.

Burrill speaks to his company's board about four times a year. He also meets with different members of the board (for example, Chief Executive Paul Adams) on an as-needed basis. He generally provides overall security status updates from BAT's operations around the world. If there's a crisis, he might appear before the board once a week for as long as the crisis lasts (Burrill chairs the company's crisis management committee).

If he chooses to submit preliminary paperwork, it's usually a page, never more than three, stating the topic and background information. But Burrill won't simply turn in a written report. "I give an oral brief. If I stick to the written one, it means I'm not getting formal exposure to the board and I'm not likely to pick up questions they raise in person. I need that interface with them as a corporate body," he says, pointing out the importance of interpersonal connection. Effectively communicating with the board also reinforces the image of the head of security as an important player in the business. "I tend to talk to them as if I'm one of them," he says, adding that he doesn't do a lot of PowerPoint presentations.

Burrill speaks proudly of a presentation he gave to the board last year. In 2003, he undertook a megataskproducing a worldwide security cost/benefit analysis for all of 2002, which he says was the biggest such analysis conducted by the company for any function, ever. He says the process worked extraordinarily well and that it proved the value of security by showing that it added to the bottom line. He says that CSOs are too eager to focus on cutting costs. "Very often, on the résumés of security guys applying for jobs, they'll say how much money they saved by reducing [the number of] security guardsthere seems to be a fixation. The challenge isn't about just saving on organizational structure. It's whether you are able to deliver a functional service that adds profit to the company, not just reduce overhead," says Burrill.

Cybersecurity market research: Top 15 statistics for 2017