Conversations with the Board

In this blog series, Shifting from Preventative to Proactive Risk Management, we have discussed how and where to focus your efforts to become proactive in security risk. The first blog, Security in 2019: Getting Ahead of the Game, tackled how security teams can create a fluid strategy in lockstep with business stakeholders to build a powerful security platform. The second post, Learning the Enemy Perspective, talked about the importance of understanding how threat actors think and act to give the security team the upper hand. In the third part of the series, The Business-Centric Risk Strategy, showed how taking a step back to evaluate the need for a sustainable risk strategy that is predictive and proactive is worth the time and effort. Here, in the final post of the series, we will explore how to get input and buy-in from leaders in your organization.

As a cybersecurity leader, reaching out to your business counterparts in different divisions when planning or updating your security strategy can result in several benefits. You'll better understand the priorities of the organization and the marketplace value of different data assets, along with the organization’s appetite for risk. This helps you develop a strategy which protects revenue streams and customer relationships and can adapt to shifts in technology and user behavior.

Partnering with business leaders may also increase their confidence in your team’s abilities to protect against disaster. About 70% of executives from large organizations, public companies and financial services entities perceive the volume and complexities of risks have increased "mostly" or "extensively" in the past five years.[1]

By the same token, cybersecurity leaders should also establish connections with company boards, the members of which are paying closer attention to the role of security. As retired US Army General David Petraeus and Optiv Security board member said: “Ensure cybersecurity is discussed in board meetings. It’s not just about the financial bottom line or the new product innovation or the new marketing scheme; it’s also about ensuring the cybersecurity of all of the digital activities that are so important in any business firm today.”

Boards have responsibility for financial loss and reputational damage if the company suffers a breach. Therefore, it’s important to include security discussions in every board meeting so that members understand emerging threats, regulatory requirements and the company’s capabilities including tools, processes and skills. In fact, 67% of boards of directors are putting pressure on senior executives to increase management involvement in risk oversight.[1]

What the board wants to know

Board members need clarity on top risks and corrective actions to protect the bottom line. It’s unlikely executives need detail on the specific solutions you have in place: intrusion detection, forensic analysis, penetration testing and so on. According to the National Association of Corporate Directors (NACD), boards care about answering questions like:[2]

• What are our company’s cybersecurity risks and how is the company managing them? 
• How will we know if we’ve been hacked or breached? 
• Who are our likely adversaries?
• What are our company’s most serious cybersecurity gaps?
• What is our cybersecurity maturity level? 

How to communicate

Security personnel like to talk specs and data. Generally, the board just wants to see metrics which clearly relate to business risk such as quarterly revenue losses associated with customer data leakage incidents. It appears that security teams can do better here: only 12% of organizations assessed by Optiv scored a medium rating or higher for the ability to report solid security metrics.[3] Which metrics to deliver is the question: security may track team productivity or security defects caught in pre-production, but business people will respond more to knowing if actual incidents have declined, if the company is at a 100% compliance rate with patches, availability and downtime requirements and if cybersecurity is doing its work as efficiently as possible.

Not all results are quantifiable, but by telling a story using language they understand and which aligns to their concerns, boards can begin to relate. Your team will need to translate IT speak into how issues and results affect business objectives. Security teams often classify risk in categories of low, medium and high. That delivers little context for the board. Business leaders want to know if the top customer-facing systems—the Customer Relationship Management (CRM) tools, e-commerce systems, mobile apps and websites—are always safe and the consequences when they’re not.

Guidance from organizations such as the (NACD) and the Securities and Exchange Commission (SEC) is available to help security teams adopt effective business language. Learning how and what to communicate to the board is just the first step. These top-level relationships require persistence and nurturing so that over time, you can develop a bond of trust with the people who have the most influence on your ability to build and maintain a world-class cybersecurity operation.

For further guidance about how to communicate overall security health to the C-Suite and board read the Optiv interactive e-book, Getting The Board on Board With Security Risk.

[1] AICPA, The State of Risk Oversight, 2017.

[2] NACD Director’s Handbook on Cyber-Risk Oversight, 2017.

[3] Optiv Security, 2018.