Talking to the Board About Cybersecurity’s New Realities

April 6, 2021

  • Between the increase in remote access and headlines filled with high-profile events like the SolarWinds/Orion compromise, the board approval process has gotten challenging for many cybersecurity executives.
  • ExtraHops’s Sri Sundaralingam offers useful advice on how to talk to your board of directors about the new realities of IT security.


I’ve interviewed dozens of CISOs and IT security executives in the past few months, and from those conversations emerged some useful advice on how to talk to your board of directors about the new realities of IT security.


Key goals:


  • Achieving alignment across the board
  • Building a “roadmap to yes”
  • Focusing on risk and reward for core business objectives





Know Your Board of Directors

The first key to success: listen before you talk. Understanding the board’s key goals and priorities will allow you to frame your own security goals and metrics in a way that will resonate.


It helps to identify a sponsor on the board – one person who can help you understand the board’s mindset and who can be an advocate for you. Invest time in your relationship with that one person and he/she can help steer key security-relevant decisions.



Keep It Short and Get to the Point

Keep your discussion with the board short, sweet and focused. It helps to keep it high level – don’t get too technical. Prepare for your board meeting by practicing with a non-technical audience who can flag anything they didn’t understand.


Send the board your materials before the meeting and address any questions beforehand, keeping the discussion fast and focused during the meeting, which should be used to drive key decisions, not clarify points of confusion.


Begin with the end in mind: consider upfront how you want them to feel when they leave. Thinking about the emotional outcome is key.



Be Ready for Difficult Discussions

Go through the topics on the agenda and flag anything likely to be a sticking point. Then run a mock exercise before the board meeting to prepare for the hard questions you may have to answer.


Reactivity versus resiliency is one difficult discussion that may come up. With significant attacks taking over headlines, it’s natural for the board to ask, “What are we doing to make sure this doesn’t happen to us?”


In these instances, it’s important to lead with resilience. Avoid tipping the balance too far into reactivity. If the last big breach happened due to a cloud misconfiguration, it makes sense to ensure you don’t have the same misconfiguration. But fixing one high-profile problem shouldn’t limit what needs to be a broader and more forward-looking perspective.


It’s inevitable that eventually something will go wrong, and it’s critical to have a plan in place to survive it.


Resilience means that if a building catches fire, you know where the nearest fire station is, how to call them and what to do until they arrive instead of standing there saying, “But we thought we couldn’t catch fire.”



Leverage Frameworks for Education and Credibility

Frameworks like MITRE ATT&CK and NIST can help you explain your security maturity. Back that up with data – external audits, penetration testing and any available internal data. Frameworks are a credible independent source of information and provide standardized ways to measure security maturity.


Then bring it all together to establish a roadmap (e.g. layering your security via defense in depth) for investments to earn the board’s support.


Be proactive in establishing a baseline that explains where you are now, and then talk about your priorities – pick your top ten. Provide gap analysis, demonstrating how to get from your current baseline to your goal state.


Use recent high-risk vulnerabilities (like those with a common vulnerabilities and exposures [CVE] rating of 10) as illustrative examples to help demonstrate how your identified investment priorities can close the gap between your current security and your goals. Then tie them in with the priorities you know are important to the board.



Key Performance Indicators

KPIs indicate tangible progress in your security program. They help establish a risk-based dashboard that can demonstrate progress as well as gaps. Benchmark your KPIs versus your industry when possible, and consider criteria such as risk, regulatory requirements, liability, compliance and expenses.


Align with different business units to support digital transformation activities and leverage those initiatives to gain funding from the board for the security program. If your plans will boost important initiatives, like accelerating new application deployment, then they’ll get more traction with the board. Also look at how you can link security program KPIs to goals like improving the company's brand and trust – especially important for B2C companies – to strengthen the board's support.



Get the Board Onboard

A few final strategy notes:


  1. Share your agenda for the board meeting with the audit committee before the meeting and make sure you have alignment on key issues.
  2. Effective storytelling is essential when describing the problem or risk and getting buy-in for the solution. Describe how your proposed solution will fix the problem and reduce risk.
Sri Sundaralingam
Sri Sundaralingam | VP of Security and Cloud Solutions | ExtraHop
Sri is the VP of Security and Cloud Solutions at ExtraHop. An accomplished and dedicated product and marketing executive, he brings years of experience in information security, cloud security, data networking, and enterprise software markets.