Talking to the Board About the New Realities of IT Security

Between the recent shifts in remote access and headlines filled with high-profile cyber attacks, getting board approval has some increasing challenges for IT security executives. Read on for insight on how to talk to the board of directors when it comes to new realities of IT security, based on my interviews with dozens of CISOs and IT Security executives in the past few months.

Key goals:

• Achieving alignment across the board
• Building a "roadmap to yes"
• Focusing on risk and reward for core business objectives

Know Your Board of Directors

The first key to success: Listen before you talk. Understanding the board's key goals and priorities will allow you to frame your own security goals and metrics in a way that will resonate.

It helps to identify a sponsor on the board—one person who can help you understand the board's mindset and who can be an advocate for you. Invest time in your relationship with that one person and they can help to steer key security-relevant decisions.

Keep It Short and Get to the Point

Keep your discussion with the board short, sweet, and focused. It helps to keep it high level—and not get too technical. Prepare for your board meeting by practicing with a non-technical audience who can flag anything they didn't understand.

Send the board your materials before the meeting to answer any questions beforehand, keeping the discussion fast and focused during the board meeting. Use your meeting time to drive key decisions, not clarify points of confusion.

Begin with the end in mind: Consider upfront how you want them to feel when they leave. Thinking about the emotional outcome is key.

Prepare for Difficult Discussions

Go through the topics to be discussed and flag anything likely to be a sticking point. Then run a mock exercise before the board meeting, practicing your answers for the hard questions you'll have to answer.

For example, reactivity versus resiliency is one difficult discussion that may come up. With significant attacks taking over headlines, it's natural for the board to ask "What are we doing to make sure this doesn't happen to us?"

In these instances, it's important to lead with resilience. Of course prevention is important, but it shouldn't tip the balance too far into reactivity. If the last big breach happened due to a cloud misconfiguration, it makes sense to ensure you don't have the same misconfiguration. But fixing one high profile problem shouldn't limit what needs to be a broader and more forward-looking perspective.

Inevitably something will go wrong, and it's critical to have a plan in place to survive it. Resilience means that if a building catches fire, you know where the nearest fire station is, how to call them, and what to do until they arrive—instead of standing there saying "But, we thought we couldn't catch fire."

Use Frameworks for Education and Credibility

Frameworks like MITRE ATT&CK and NIST can help you explain your security maturity. Back that up with data—external audits, penetration testing, and any available internal data. Frameworks are a credible independent source of information and provide standardized ways to measure security maturity.

Then bring it all together to establish a roadmap (e.g. layering your security via defense in depth) for investments to get support from the board.

Be proactive in establishing a baseline that explains where you are now, and then talk about your priorities—pick your top ten. Provide gap analysis, demonstrating how to get from your current baseline to your goal state.

Use recent high-risk vulnerabilities (like those with a CVE rating of 10) as impactful examples to help demonstrate how your identified investment priorities can close the gap between your current security and your goals. Then tie them in with the priorities you know are important to the board.

Use Key Performance Indicators

KPIs will help to show tangible progress in your security program. It helps to establish a risk-based dashboard that can demonstrate progress as well as gaps. Benchmark your KPIs versus your industry when possible, and consider criteria such as risk, regulatory requirements, liability, compliance, and expenses.

Align with different business units to support digital transformation activities and leverage those initiatives to gain funding from the board for the security program. If your plans will help important initiatives, like accelerating new application deployment, then they'll get more traction with the board. Also look at how you can link security program KPIs to goals like improving the company's brand and trust—especially important for B2C companies—to strengthen the board's support.

Get the Board Onboard

A few final strategy notes:

1. Share your agenda for the board meeting with the audit committee before the meeting, and make sure you have alignment on key issues.
2. Effective storytelling is essential when describing the problem or risk, and getting buy-in for the solution. Describe how your proposed solution will fix the problem and reduce risk.

Return on investment is a central part of choosing a security tool and justifying it to the board. Read this Forrester report reviewing the ROI of ExtraHop Reveal(x) network detection and response.