Three key things security execs need to do in board meetings
You’ve just finished presenting your security strategies to the board, but it’s not gone as well as you’d hoped.
The hours of research you’ve put into highlighting threat levels, examples of breaches that have ground rival companies’ operations to a halt and the technologies and training that can be deployed to mitigate attacks hasn’t won over the C-Suite.
The room seems more focussed on post-pandemic recovery and surviving challenging economic circumstances.
You wait for feedback, hoping your pitch will finally galvanise them into action, but again, the reaction is not what you expected, despite the PowerPoint presentation that you and your team took weeks to assemble.
The chief financial officer is worried that you’re going to burn through company cash; the CIO is worried that the layers of security you are proposing will make the business less agile; the marketing director is failing to see how some of these threats you’ve mentioned relate to this particular business.
The non-executive director, meanwhile, perhaps the person in the room most sympathetic to your cause, is left scratching his head because he has no idea what you mean by terms such as “password spraying” and “egress filtering”.
Most firms now are aware of the importance of cyber security and yet acting on it and persuading organisations that cyber is an investment rather that a cost is still a challenge.
According to Paul Watts, the non-exec director of an academy trust, and a cyber security analyst, it’s good to talk with businesses, but it’s tough if you’re speaking different languages or you’re struggling to find the motivation to have the relationship in the first place.
“It’s too easy to lean back into our formative risk and compliance arguments – reverting to type – which can stifle businesses that want to innovate and get head of their competitors,” he notes.
“For us, the challenge is maintaining relevance. Keeping interest sustained and demonstrating that we can bring real business value beyond the management risk,” he adds.
Watts – who has previously worked as CISO for Domino’s Pizza UK & Ireland and Kantar Media – recently chaired a panel at InfoSec Europe about the importance of communicating effectively to the business.
Drawing on the experience of some seasoned CISOs on the panel, below are three key pieces of advice that security execs would do well to take on board.
1) Know who’s in the room
You can’t read the room until you know who’s in it, according to Deborah Haworth, CISO at Penguin Random House “and the problem is I don’t think security leads always know what is meant by ‘The Board’”
Typically, there two types of board members: Inside (executive) directors such as the CEO or CIO, who operate with the interest of the shareholders, employees and managers.
And then there are the outside (non-executive) directors – who may bring a unique expertise to a particular sector or industry, and are there to govern impartially and resolve company disputes and goal setting matters.
“You need to ask what is it you want from an engagement with that group of people because if we go in there to throw stats at them – then why? If you go into a board meeting – anything you present – ask the question: ‘So what?” said Haworth.
It will vary from company to company, but the panel advised security execs get to know each board member’s background before a meeting, recognise their pain points and their general take on risk and security.
For Watts, non executive directors are usually the easiest people to talk with because ultimately, it’s their reputation on the line and compliance is usually part of their remit. Subsequently, “they’re not afraid to ask critical questions in context,” he added.
For EasyJet’s CISO Paul Midian, his best conversations are with the CIO “because he’s a former pilot!”.
He admitted that working at an airline meant that the conversation around security tended to be easier “They talk about risks and threats and vulnerabilities and are constantly preparing for what might happen. Cyber security is branded ‘digital safety,” he added.
However, his general advice to security execs is “figure out what side of the business understands the language you’re talking and aim your initial conversations at those board members in the first instance.
“But you are going to have to qualify the way you talk: CFOs want numbers, marketing people want stories and pilots like to talk about risk and threats,” he added.
2) Mind your language
According to Watts, the cyber security industry is struggling to decouple the relationship it has between technology and security, which is damaging its ability to focus more on the business implications of the trade.
With the emergence of the CISO, he added that was changing but there’s still some alienating technical jargon making its way into the boardroom.
Steer clear of technical terms like “buffer overruns” and “credential stealing”, Midian advised, and instead talk about the impacts to the business if those kind of attacks are successful.
Watts suggested CISOs start using a different terminology that executives understand to ensure they pay closer attention: “Perhaps we need to talk about business resiliency rather than talking about disaster recovery?” he suggested.
According to senior managing director of Accenture Security, Valerie Abend, another mistake security execs make is to keep the conversation at a technical level between the CISO and the CIO.
“All that does is further silo the conversation – when what we need is expand it and come up with specific tailored accountability for every single member of the C-Suit that makes them enabled and accountable for their entire organisation. It’s a very different approach,” she said.
3) Talk about business value, not scare tactics
According to Abend hitting execs over the head with scare stories doesn’t work either: “It doesn’t leave them knowing what to do – it just scares and alienates them further.”
Haworth agrees. “The non exec directors don’t want to hear about the risks, they want to know what’s being done about them so they can go to sleep knowing there are no corporate governance responses to address,” she said.
Studying a company’s business and aligning with its key goals so you can support these works better than providing a list of the latest threats, Watts added.
“If a business just sees us as being about risk and compliance we’ll always be hanging on to that ticking time bomb of a breach event.
“We need to look at how we add value and go into the boardroom and say: ‘We’re so good at operating company security controls that we’ve worked out that we can save 50% if we automate some of this stuff. This is my contribution to saving the company money.”
If you do go into a boardroom with a list of threats or stats, Watts added, then try and match it back to business impact.
For EasyJet’s Midian impressing on the board the mindset of an attacker can completely change their perspective, because while some execs may not understand the technology, they will always understand the business motivations.
“You need to explain why cyber crime is such a big business: Crime over internet is less risky than traditional crimes of physically moving contraband around the world. It’s easier for criminals to manage the risk – it’s crucial that board understand this,” he said.
Midian recalls a ransomware session that he had with his board a couple of years ago where he got members to read through a transcript of a negotiation between a victim and a threat actor.
“Afterwards the boardroom just went silent for a couple of minutes. It was the Chairman who finally spoke first.“ He said ‘It’s just a business isn’t it? But they have to manage legal risk because they are working outside the law’. As soon as the boardroom realised that they were up against a business the conversation starts to become a lot easier.
“Once the board understands the interplay between the attackers and what they want to do with the business you end up having a better conversation.”
To read more on cyber security click here
Subscribe to our Editor's weekly newsletter