Chief information security officers (CISOs) have an important job of managing a healthy security posture in an organization — but achieving board-level support can be challenging.
To receive proper funding, today’s modern CISO needs more than just a technical aptitude and management skills. Security leaders also require a business acumen and communication competence. Their security strategy must align with the business goals and objectives in order to gain support from C-level executives and stakeholders.
With board-level support, CISOs can increase the organization’s security maturity by:
- Implementing policies and procedures
- Expanding the security team
- Outsourcing tasks to a managed security service provider (MSSP)
- Investing in a necessary SOC tool
In addition to the seven ways outlined below, our e-Book, Gain Board-Level Support for Your Security Program, provides essentials tips on how CISOs can nail a presentation to obtain the funding and resources they need. Don’t miss these highlights!
7 Ways CISOs Can Gain Board-Level Support
It’s easy to understand why getting board buy-in is so important, but how can today’s CISO get the support they need?
1. Know Your Audience
When presenting to an executive board, it’s not just about what you are pitching, but also who you are pitching to, that can drastically change how you approach the subject matter. The audience can alter how you frame security risk, emphasize needs and solution, and change the tone of your presentation.
There are different boards you may speak to depending on your company structure and the issues that are being presented, such as the executive board or the board of directors.
The Executive Board:
The executive board encompasses colleagues in the C-suite who are responsible for developing and implementing strategy, policy, and action plans. These executive-level managers may range from the chief executive officer (CEO), chief financial officer (CFO), chief operating officer (COO), and chief information officer (CIO). These are all managers that also govern day-to-day operations, so details such as project owners and timelines will appeal to this group.
The Board of Directors:
The board of directors can be comprised of executive board members, as well as nonexecutive, external directors. They represent the organizations shareholders and oversees the executive team. They aim to maximize shareholder returns, avoid costly errors, and reduce financial risks. When presenting to a board of directors, it’s critical to have clear communication and provide meaningful, concise metrics.
Before laying out your presentation, it’s important to get to know your audience with these steps:
- Research board members
- Establish relationships with board executives and staff
- Form a partnership with your CIO
These steps will help you familiarize yourself with your audience and their career history, understand their perspective on business and security, establish a connection of trust before the presentation, and potentially provide you with a security advocate for future initiatives.
Get to know your audience first and you will approach any presentation or meeting with elevated confidence.
2. Know the Business
CISOs live and breathe security, but they also need to be well-versed in business acumen and fully comprehend the organization’s business model, drivers, and value proposition. This will lead to building a more cohesive security strategy that exceeds the goals and the objectives of the organization.
Always remember that the board cares about security within the context of business. They will listen intently when you mention anything about risk to the business, the impact of your plan, and the cost scenario.
Speak the board’s language and capture their attention with these keywords in mind:
- Efficiency
- Cost
- Revenue
- Impact
- Risk
- Profitability
3. Avoid FUD
Fear, uncertainty, and doubt (FUD) is often used as a scare tactic to influence the board to invest in the security program. Be sure to avoid scaremongering and worst-case scenarios. It can be a distraction from the main issues or threats that relate to the business, which can impact your credibility as a security leader in the organization. Board members do not want to waste time and they will see through buzz words that hype up threats and have no feasible solution.
If you are looking to build credibility during your presentation, then it is better to use quotes from experts and statistics from reliable sources in the industry.
4. Communicate Wins
Return on investment (ROI) is extremely important to board members. It’s imperative to always follow up on the outcome of any funds that were approved. Always clearly outline how a security investment addressed the business’ challenges and reiterate the improvements that solved those issues.
When reporting on ROI, include tangible examples using concise stories and data. Don’t overwhelm your presentation with too many numbers and statistics — you could lose the board members’ attention or distract them from the most important metrics! Automate key metrics to save time, reduce human error, and create a repeatable and efficient process.
Reporting on the effectiveness of your security operations program is critical to gaining board-level support. LogRhythm’s Security Operations Maturity Model (SOMM) will also help you to measure the success of your program and demonstrate reductions in time to detect and respond. Watch LogRhythm’s demo video to see SOMM in action.
5. Don’t Ignore Compliance
Regulatory compliance is a necessary component of modern business. It can be a driving factor when requesting funding or proving the value of your security team. All businesses must meet certain standards, laws, and regulations. This is extremely important to board members, especially in highly regulated industries such as healthcare, federal, and finance. Negligence and noncompliance can lead to some hefty consequences, so you can appeal to the concerns of the board when you raise this issue.
6. Communicate Clearly and Simply
Before the presentation, it is useful to summarize the key points you plan to cover in a pre-briefing. This will set up clear expectations on what you want to cover and gives the board time to process some of the information. You can also meet individually with each board member ahead of time to present your case and answer questions before the formal presentation.
When it comes to communicating with board members, not everyone will have a technical background. If you fill the conversation with too much geeky jargon, you may lose them easily. During LogRhythm’s 2020 RhythmWorld security conference, executive leaders across the nation gathered to talk about their role and how they approach gaining board-level support. In the live webinar, The Modern and Evolving Security Leader: Security Executive Panel, Karen Holmes of True Blue Inc., suggested,
“Find a way to tell the story from beginning to end.”
Karen explains how it’s important to paint a wholistic picture that clearly explains the risk to the organization when security and information management isn’t a top-down initiative. While translating to the board, you can break complex topics and concepts down by using things like analogies and simplistic graphic models. Remember to speak their language and relate your ideas and data back to the business in a concise manner.
7. In Case of an Emergency
Security breaches are inevitable. At some point, you will have to deliver bad news to the board. When that time comes, it’s imperative to be transparent and factual. The board members are relying on you to keep professional composure during an incident. It’s easy to get overwhelmed, but it’s important to keep a level head and never downplay an incident. It’s also just as important to not cause panic or exaggerate an incident.
When you do have a breach, this is a chance to instill confidence in the board and build credibility, by efficiently communicating how your team is responding. Having a streamlined process for reporting incidents helps ensure trust with all parties involved.
Other Ways to Achieve Board-level Support
If you are not getting the results, funding, or investments from the board that you are hoping for, there is room for improvement when it comes to your pitch. There will always be funding limitations, but how you execute your message can increase the chances to get the support you need to keep your organization secure.
In effort to continue to build relationships and make improvements to your presentations, don’t be afraid to ask for direct feedback. Collect notes on what resonated with the board members and use that to your advantage for the next time around.
If you feel there is room for exponential growth in this area, consider obtaining a business degree — getting an MBA can take your abilities as a CISO to the next level. In The Modern and Evolving Security Leader: Security Executive Panel, LogRhythm’s CSO, James Carder, reveals that once he started moving up in his career, he quickly realized he needed to obtain his MBA in order to speak the language of finance and to translate all of the terminology into risk and cost of risk. It was essential for him to be able to communicate return on investment to the board and to explain scenarios where reduction of risk in certain areas can save money in the long run.
For more in-depth tips on how to improve your presentation skills, download our e-Book, Gain Board-Level Support for Your Security Program.