Some of today’s CSOs never stand before their boards of directors. But, hey, that could change after your next external audit. And while addressing the board may not quite be like arguing a case before the Supreme Court, you’ll still want to make the most of your access. So hearken to David Burrill, head of group security at British American Tobacco (BAT). Burrill has been reporting to the BAT board since he joined the company in 1992.Burrill speaks to his company’s board about four times a year. He also meets with different members of the board (for example, Chief Executive Paul Adams) on an as-needed basis. He generally provides overall security status updates from BAT’s operations around the world. If there’s a crisis, he might appear before the board once a week for as long as the crisis lasts (Burrill chairs the company’s crisis management committee).If he chooses to submit preliminary paperwork, it’s usually a page, never more than three, stating the topic and background information. But Burrill won’t simply turn in a written report. “I give an oral brief. If I stick to the written one, it means I’m not getting formal exposure to the board and I’m not likely to pick up questions they raise in person. I need that interface with them as a corporate body,” he says, pointing out the importance of interpersonal connection. Effectively communicating with the board also reinforces the image of the head of security as an important player in the business. “I tend to talk to them as if I’m one of them,” he says, adding that he doesn’t do a lot of PowerPoint presentations.Burrill speaks proudly of a presentation he gave to the board last year. In 2003, he undertook a megataskproducing a worldwide security cost/benefit analysis for all of 2002, which he says was the biggest such analysis conducted by the company for any function, ever. He says the process worked extraordinarily well and that it proved the value of security by showing that it added to the bottom line. He says that CSOs are too eager to focus on cutting costs. “Very often, on the résumés of security guys applying for jobs, they’ll say how much money they saved by reducing [the number of] security guardsthere seems to be a fixation. The challenge isn’t about just saving on organizational structure. It’s whether you are able to deliver a functional service that adds profit to the company, not just reduce overhead,” says Burrill. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe