As each news cycle highlights more ransomware attacks, data breaches, cryptojacking, and other cybersecurity incidents, the likelihood increases that someone from your organization’s leadership team will be asked to talk to the board about information security. Board members are interested in hearing first-hand from the head of technology, information security, finance, or operations about the state of an organization’s information security health, its cybersecurity strategy, and what tactics are in place to protect against and detect threats.
Based on our experience talking to many organizations’ senior leadership teams and board members, here are five tips for talking to the board or the C-Suite about cybersecurity.
1. Highlight global issues and trends
Topics that are often of interest to board members and other high-level organizational leaders include:
- Recent cybersecurity incidents around the world that have made headlines
- The latest trends in information security — what kinds of attacks are becoming more commonplace?
In all of these cases, board members and leaders want to know the likelihood of these types of attacks happening at your organization and what controls or tactics are in place to prevent them from occurring.
In addition, should such an incident occur, what technical controls or other measures are in place to limit the impact of this type of attack? How would your organization detect such an attack?
2. Discuss recent incidents at your organization
Likewise, we recommend being up front about recent incidents your organization has experienced. Be prepared to present a brief post mortem about any impactful or unusual attacks the organization has recently experienced. Some key talking points:
- What happened? How did the organization detect the attack? How much time elapsed between when the attacker first gained a foothold into your organization and when it was detected?
- Were there any contractual or legislative consequences? Were any customers, clients, patients, students, or other stakeholders impacted? If so, were they notified?
- How did the incident response team handle the situation? How has the incident response plan been updated as a result of the attack?
- Lessons learned: what went well (if anything)? What changes have been made to the incident response plan, incident response team, technical controls, processes, or security operations as a whole as a result of the incident? How will the organization be better-prepared in the future to prevent, detect, and/or respond to such an incident?
3. Present recent initiatives & roadmap
Often, the leadership team and board members are interested in understanding what’s on tap for the coming year or 3-year budget/planning cycle. We suggest as you are talking to your board about cybersecurity that you use this opportunity to highlight recent and planned new initiatives and how they will strengthen your organization’s overall information security strategy.
Plans or updates about recent security enhancements shouldn’t be just about technical controls and tactics — i.e., implementing multi-factor authentication — but how this initiative will protect organizational information and data and the intended impact of this change.
4. Focus on the big picture
If you’re coming from a technology background, it can be tempting to get into lots of technical details. The board doesn’t care about the number of weak cipher vulnerabilities from your most recent vulnerability scan. That number is worthless to them unless it’s presented through a lens with meaning, like the potential impact to the organization if these vulnerabilities are left unchecked.
5. Frame the discussion around risk management
Instead of emphasizing technical details, frame the conversation and talking points around risk. No two organizations are the same; regulatory requirements, sector expectations, resources, size, internal IT capabilities, technical tools in place, and more all influence how an organization approaches information security. Ultimately, it’s important to make sure that your information security program is aligned with the organization’s risk appetite.
Conversations with the board are a great opportunity to highlight some of the areas where your organization is weakest in an effort to get buy-in to take action. For instance, telling the board that you’re out of compliance with the Center for Internet Security’s top 20 controls likely isn’t going to resonate with them or convince them that additional investment is needed to correct that.
On the other hand, if you can successfully communicate why your organization needs to take steps to put several of these controls in place and the risks associated with inaction, you will have a higher chance of convincing these key stakeholders that resources are needed or that processes need to get changed to minimize cybersecurity-related risks.