How to present security to the board

You’ve been called up to “That Room.” Are you ready?

woman stairway door

“We’re taking this before the Board.”

While that might be OK to hear for the CEO, but for anyone else short of the CFO, being invited to present to the Board of Directors can be a scary—even “career-defining” moment. Add to the mix, the usually-non-revenue-focused topic of “Security,” and end-of-year reviews might be even more stressful than usual.

Part of the DNA of any CEO is in how well he or she can deliver quarterly reports (good and bad) to a Board of Directors, with the usual flair of just enough excitement to keep everybody upstairs interested, all the while keeping them at a safe distance from day-to-day operations. But communicating news of a “Security” bent to the Board on a regular basis, and ahead of an event actually being reported, can be something beyond cathartic to those holding the purse strings. It could actually have a direct impact on how effective (and successful) the CSO and his/her team can be in attaining a host of credibility points in the organization, including such attributes as increased control over operational development, defining policy and increased budgets for those “special projects” no one ever seems to understand but “those security people.”

[ RELATED: Tips on how to communicate with the board ]

From a historical perspective, “Security” has usually fallen between the margins of IT and Infrastructure, with a line item mentioned on the annual budget. That was until such things as IoT attacks, DDoS and the rise of malware moved from the back pages of the trade magazines to the headlines of the national news.

With the emergence of the “Chief Security Officer” as a relatively new trend in the C-suite (and usually a hybrid role occupied by an IT leader, and often still reporting into the CFO or other C-level), many CSOs understand the virtual bloodlines that flow data throughout the infrastructure, but may still find it a challenge to translate “risk” for thoseupstairs.

When preparing that key presentation, CSOs might consider integrating the following 10 elements to help manage that all-important, ever-worrisome matter of presenting “Security” in a Board setting.:

  • Remember that your priorities are not theirs
  • Be the thermostat and not the thermometer
  • “Headlines, Deadlines and Market-share”
  • Explain what you plan to do
  • Be precise and concise
  • Tie your data to primary business objectives
  • Be sure your information/needs are in alignment with your CEO
  • Explain where you are vs where you want to be
  • Justify cause and effect in basic terms (“Why should this be our direction?”)
  • Know when you’ve said enough (and what not to say)

Lately, as I have traveled around the country, the topic of "presenting security  to the Board" has become more prevalent in discussions with executives. Out of respect for the weight and efficacy of this subject, we'll spend the next several posts exploring how to make the best use of this important meeting.

Part 1: Managing expectations

Preconceptions rule the day

Executives have different presumptions based on their unique work experiences, and their perceptions of how security should be addressed and managed will be fundamentally directed by their levels of exposure vs their level of accountability throughout their work histories, as well as by the advice they may or may not be getting from their peers.

The Board brings the same level of preconceptions—also based on their respective (and collective) experiences. Be sure you are managing your own expectations before you begin managing those of others, according to Lauren Still at “It is in your best interests to take responsibility for understanding in detail what the priorities are and what will be considered a success,” Still writes.

Where all things security are concerned, talking to a Board requires a clear path and providing simple-to-follow plans of action, based on two key factors: Assets (defining and agreeing on what they are), and access (who can get to them, how, where and why).

You say “tomato,” I say “salsa”

One of the first things that can cripple a senior presentation between practice experts (like tech-savvy CSOs) and business leaders (like principal shareholders), is when the language doesn’t align. When preparing for the trip upstairs, be sure everybody is using common terminology to describe the same things.

For example, when describing terms like “malware” and “exploits,” it might be a good idea to define how your organization looks at each, and how you classify levels of urgency around malicious activities. In a conversation, you might start by defining how your organization defines a secure enterprise, and that your risk scenarios “are actively looking at key points where the greatest compromises would impact shareholder value.”

A KISS goes a long way

The old axiom “Keep It Short and Simple” is a good one to keep in mind when presenting facts to the board. Remember that your priorities are not theirs (they’re about profitability and risk appetite, while CSOs are about protecting assets and risk tolerance). And perhaps more important, when you get that call to head up to the suites, avoid the use of the technical jargon that surrounds our industry, and keep acronyms and abbreviations to a minimum.

That said, however, shouldn’t detract CSOs from not at least giving it the old college try: If asked, for example, how you classify and prioritize your resources, explaining to the board that you are addressing industry-defined “Top 20” attack scenarios to establish your baseline, is a good way of keeping the language friendly, simple and relevant.

The thermostat or the thermometer?

Just because the suits cost a little more doesn’t mean that the Board members aren’t malleable to a little suggestive control. While the Chair is the pace-setter for board meetings, the tone of your presentation would best be served by you defining its tenor, rather than relying on others in the room to do so.

It’s often easy to fall into the trap of spreading FUD in a room of unsuspecting-but-inquiring minds, leaving your CEO to pick up the pieces and switch into “Why didn’t you tell us it was this bad” damage-control mode. However security execs being called to bear witness of the goings-on may consider something a little more palatable: “We believe the rising risks associated with the exchange of online banking accounts within the financial sector of our business is an indicator that we need to focus our efforts on better tuning of our controls, which reduce our latency to responding to real incidents.”

Planning prevents panic

For most C-levels, direct engagement with the Board is probably the highest level of time premium to have to manage, given the tremendous amount of impact they can have on the organization, and the limited amount of time anyone other than the CEO and CFO have with them. Moreover, the Board is usually comprised of people who are not directly tied to the same sector of business as those who maintain the day-to-day operations within the organization, so understanding the business of “where we’re going” is Job #1 for anyone who is presenting to them. Here are three more key elements to infuse into your planning when preparing your board-level presentation:

  • Give them a road map. Tell them something that is relevant to their desire to understand what it is you’re going to do, what you’ve already done, and what you’re currently doing, all with one concern in mind: protecting their bottom line.
  • Be precise and concise. The Board doesn’t want to see 25 slides on how your firewall settings are defending against the latest multi-threaded polymorphic attack. They are, however, interested in your insight into the latest attack trends as they may relate to (and impact) the organization’s assets or infrastructure.
  • Don’t scare anybody. When Boards are confused they lose confidence (in a variety of things, including their decision to ask you to visit them, and their CEO who recommended it!). While that may sound harsh, according to HP CEO Meg Whitman, but more board members are becoming aware of security-related issues. “Staying out of the weeds” is still a wise decision when discussing sensitive topics.

What happens next?

In the next installment we’ll look at ways of responding to that Magic Question—that two-edged sword that every executive should be prepared to respond to and embrace (good and bad): “What do you need from the Board?”

Copyright © 2016 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022