“The board wants to speak with you.”
Finally. The opportunity you’ve been waiting for. As more executives turn their focus to security, you expected that eventually, you’d get to speak with the board. This is your moment to shine, to convince them of the importance of security.
Are you going to make the right impact?
The answer isn’t as simple as showing up. The key to making the right impact is preparation.
As Kevin West, CEO, K logix (LinkedIn, @KlogixKW) explained, "It is important for security leaders to separate the signal from the noise. The signal is the list of business goals and objectives as outlined by the Board. Maintaining focus on the signal means your security program will always be in alignment with executive priorities, which gains you greater respect in the board room.”
A quick note about the board
Kevin shared a key insight on working with boards, “Board members are business people. They understand risk. What they want to know is how are you going to address the risk. They would rather know about risks upfront than be updated after an incident occurs. Bring the Board a plan that puts security inline with business goals to get the best response."
Here are some additional tips on understanding the role of executives and how to present the information they need (link). It also helps to be prepared to answer these three key questions to get the funding and support you need (link). You might also want to consider the 5 questions to ask before a breach happens (link).
Three ways to prepare before speaking to board
By actively focusing on aligning security with the needs of the business, you prepare yourself to enter the boardroom with confidence.
Kevin West suggests the following three strategies to ensure your time before the board is successful:
- Invest in relationships: you should have at least one ally in the boardroom with whom your organization has completed a successful project. Leverage that person’s commitment to security to introduce others in the Boardroom to its value.
- Translate technical jargon into functionality: Effective security leaders discuss security in terms of its positive impact on achieving business goals and increasing revenue. Avoid talk of specific threats, technology standards and other items that move the conversation away from business goals.
- Provide proof: Prove that you belong in revenue discussions by providing success stories, reports and testimonials that show how security impacted the bottom line. It helps to consider the security story you share (and practice to get it right).
How it works
Kevin shared a recent example of how effective this method of preparation is:
“One CISO I recently met with told the story of his board being floored when he told them that focusing on 100% prevention would basically put the company out of business - it would make it too hard to do work, too hard for customers to engage with the bank the way they wanted to, and too difficult to work with partners.
Once the board member saw how security was being respectful of key business goals, he had a much easier time understanding our focus on prevention, but also incident response. This conversation happened because that CISO was speaking from a position of strength, he didn't wait until a breach happened to explain to the Board that it was inevitable. He told them a breach may happen, but there was a plan in place to minimize its impact.”
What are you waiting for?
Whether you enjoy a good working relationship with the board or are waiting for the opportunity, invest the time now to be prepared. Consider the relationships you need -- across the organization -- to be successful. Gather evidence of success.
It helps to set aside our bias for breach prevention. Consider how to quickly detect and effectively respond to incidents and potential breaches. In the process, work to translate the technical aspects into functional understanding. Be ready to explain the value of your program to others, in a way they can understand.
While this takes time and effort, the payoff comes when it’s time to speak with the board. Done right, the conversation is natural and not forced.
Do the work to distill your value, earn the recognition as an IT leader, and have your voice heard by the board. Make an impact that gets results.