Cyber Insiders - Magazine - Page 6
2. Use metrics that are meaningful.
Data without context is meaningless
and won’t help get buy-in from the
board. When sharing data with the
board, CISOs need to add a layer of
context and pick the data points that
impact the organization’s security
priorities.
Centre your metrics around the business
criticality of affected assets. Boards
want to know how your decisions as a
CISO benefit the organization, support
objectives and impact the cost. Once
you have your key metrics, you must
translate this data into business
language so that it will be impactful,
memorable and resonate with the
board.
3. Don’t use fear, uncertainty, and
doubt as a weapon.
CISOs should avoid leveraging fear,
uncertainty, and doubt (FUD) to drive a
point home or to get the board on their
side. Leveraging FUD as a weapon can
give the impression that the CISO is
more of a hindrance than a help or that
they are prioritizing security at the
expense of the business’s growth.
This negative perception of security as
the “office of no” or “scaremongers”
can act as a communication barrier.
Instead, a more positive approach is to
provide an overview of the problem,
identify the root cause and to offer
solutions and recommendations to
remedy the issue, along with an outline
of the associated benefits.
By acting more like an impartial risk
advisor, the CISO can help business
leaders understand the risk and
determine risk tolerance so that more
informed decisions are made.
4. Present security as a
enabler, not a cost centre.
business
Often when CISOs approach the board,
they’re hoping to make a case to secure
more resources or acquire additional
budget.
However, by presenting a lengthy list
of security technical needs as a case
for investment, they perpetuate the
perception that security is a cost
centre rather than a business enabler.
With the backdrop of a recession,
tightening
budgets
and
pricing
pressures, board members are more
likely to shut down from the
conversation if they cannot see the
ROI from security investment. To
demonstrate the value of security, use
metrics CISOs that demonstrate that
security is a revenue driver. A few ways
to do so are to:
• Explain how customer contracts can
be differentiated by driving value from
security.
• Demonstrate what revenue would be
based on removing a threat.
• Show what the organizations would
recover
in
lost
revenue
by
implementing your suggested control.
5. Talk to board members beyond
board meetings.
Understanding your audience is key,
which is why it’s vital that CISOs invest
in relationships with board members
outside
of
the
boardroom.
Understanding the other person’s
communication style, personal and
professional motivators and area of
expertise will help a CISO land their
message more effectively.
Having a strong rapport with board
members outside of a formal channel
can provide invaluable insights and
context that will help a CISO to craft a
message that is suitable and relatable
to their target audience, which is then
more likely to resonate and achieve its
goal.
Finding boardroom allies is vital,
particularly those non-technical ones,
who can act as a sounding board and
help you find the weaknesses in your
presentation ahead of a board
meeting.
CYBER INSIDERS MAGAZINE
06