How to Sell Your Cybersecurity Strategy to the Board: An Interview with James Carder

James Carder brings more than 19 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. government. As CISO and Vice President of LogRhythm Labs, he develops and maintains the company’s security governance mode and risk strategies, protects the confidentiality, integrity, and availability of information assets, oversees both threat and vulnerability management, as well as the Security Operations Center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, threat, and compliance research teams.

Whether you’re a seasoned presenter or a first timer, presenting to the board can be daunting. Today most boards are well aware that cybersecurity is an important issue. But being able to convince them that your cybersecurity strategy is the right one, establish buy-in, and win their budget allocation is not always an easy task.

I sat down with James Carder, LogRhythm CISO and VP of LogRhythm Labs, to learn about his experience implementing a successful cybersecurity presentation to a board. Here’s what he said:

MS: In current and past roles, you’ve presented to the board countless times. What have you learned from those experiences?

JC: The first time I ever presented to a board, it was pretty scary. You have to have all of your ducks in a row—Is dotted, Ts crossed. I researched every board member and learned about their entire career histories. I wanted to make sure that my presentation would resonate with what they understand. I also made sure that I met with each of them one-on-one before the presentation—“the meeting before the meeting” so to speak.

If you do your due diligence to meet with each board member ahead of time, and you don’t have their buy-in, then you know that you have to make shifts before you get to the presentation. In doing this, you may also find an advocate. I actually had a new board member that I had known beforehand. He had been through security events with other companies, and he was a huge security advocate. He was invaluable to me in that board room.

Preparation and establishing relationships are both important pieces to board presentations. It’s also best to present something that is important to your business. For example, if you are the CISO of a healthcare institution, you probably want to talk about patient care. Always tie your presentation back to business drivers. Tailor what you want to say to your organization’s business model and tailor it to the board. Part of this is not going too deep into security jargon, technical details, or trying to outsmart the board members.

Your board deeply understands risks, cost, and impact. Stick to those three areas and make sure you can speak to them at any level of depth. It’s unlikely that they will care about new technologies or features. They will care about the risk to the business, the impact of your plan, and how much it will cost.

MS: In your experience, what doesn’t work well when presenting your cybersecurity strategy to the board?

JC: Fear, uncertainty, and doubt. I recall a colleague of mine presenting recent breach information (e.g., Here’s the cost of a record, here’s what Gartner is saying, and if we don’t do this, we’re going to get breached). While this may work for some boards, from what I saw, it was not well received. It actually agitated the board.

In that particular case, they didn’t want to hear what was going on outside of their organization. They wanted to hear what was going on as it related to the business and what my colleague was going to do to make the business safer—what he would do to protect or enable the business. Fear, uncertainty, and doubt used to be a popular tactic to scare the board into investing in the security program, but it’s probably worn out its welcome.

MS: Selling your cybersecurity strategy to the board can be difficult. Where do you start?

JC: You need to start by understanding what’s important to your business and then building your strategy around that. If you walk into the board room with a one-size-fits-all plan, then you’re only showing you’re not in tune with the goals and objectives of your organization.

The same is true for continuing your relationship with your board. If you go in and ask for money and you get it, but then you go in the next time and you haven’t shown how it has impacted your business, then the likelihood you’ll get funding again is greatly reduced.

Alternatively, if you look at your organization’s business challenges and problems as they relate to security, and you can prove that you’ve aligned your investment with those priorities, you’ll be more effective and have a bigger impact to the business. You’re showing the board that you will move the needle early on for the greater mission of the business and not just your security organization or ideas.

MS: What other stakeholders in the organization do you recommend talking to before presenting to the board?

JC: As I mentioned earlier, if you can get access to board members prior to the board meeting, that is critical. You also want to establish a relationship with executive staff—the CIO, the CFO, the CEO. In many organizations, the executive staff (or members of the executive staff) are on the board. Showing partnership and alignment with your immediate colleagues, like the CIO, is very important. In some organizations, with the CIO and the CISO, one can report to the other. Or they may be peers fighting for the same dollars. Regardless of your organization, the more you can show that you are aligned in partnership, the better.

MS: What types of questions should one prepare for before the presentation?

JC: The board is going to focus on the finance, risk, and impact. Organizations are becoming so focused on risk that many are moving to having a chief risk officer as opposed to a CISO. They’ll ask questions like, “How much is security going to enable my business to help us to increase revenue or reduce cost?” “How are we protecting and enabling the business?” “What are the risks?” “What is your plan?”

If you can actually show that your security plan will be an enabler for the business, you’ll be in a great position from a financial perspective. You will need to be able to relate your plan for making things better and safer for your organization, while also facilitating the business. The questions you get will also depend on who is on your board—but that is where knowing your board comes into play.

MS: Do you believe today’s board members understand cyber risk? What is the best way to help them fully grasp what is at stake?

JC: I think the news and media have actually helped cybersecurity out a lot, because of media such as The New York Times and The Wall Street Journal are all now including content on cybersecurity.

President Obama also brought cybersecurity to the main stage. He was able to show that cybersecurity is more than just breach notifications in the news—it’s about policy and governance and how we’re moving forward.

I’ve also found that many boards tend to look at cybersecurity as an insurance policy—something that can reduce or transfer risk (e.g., “If I invest now to help build this program up, the likelihood that I’m going to be dealing with a situation down the road is going to be lessened. Or if it does happen, I will at least be able to show that the organization was responsible in this area versus being negligent.”).

MS: What role does compliance play in selling a cybersecurity strategy?

JC: Compliance does not equal security, and security does not equal compliance. But compliance can still be a driver and influencer when you’re building your cybersecurity program.

Whether you’re in the government, healthcare, finance—these are all regulated industries. Many compliance mandates are based on security best practices, standardizations, and controls. If you have a mature and healthy IT infrastructure, with best practices and controls in place, you’ve greatly reduced the risk to security. If you have poor controls on the IT side, this can feed right into a breach.

MS: When presenting to the board, how detailed of a plan should you share? Is there such a thing as talking technology too much?

JC: Yes, there is such a thing, and you should avoid it. Be prepared to talk technology, but keep in mind that you’re only going to have so much time and a handful of slides. You have to make that time and content count. If you spend four of your six slides talking about technology, you’ve just wasted your time. Instead, put your time and detail on where your proposal will make the most impact for your business—what they want to hear you talk about.

However, there is a big caveat to this. If you are presenting to the board during an incident or breach, spend your time there. If you don’t address or acknowledge what is going on, the rest of your preparation won’t mean anything because the board won’t be able to get around the fact that you have not yet addressed the incident. Don’t gloss over it, try to hide it, or downplay it. Don’t be afraid to deliver bad news. But don’t exaggerate it or make it bigger. Be transparent and factual. Be prepared to tell them what you’re doing about it (and try to leave your emotion and opinion at the door).

MS: What percentage of revenue is reasonable to ask for in support of your strategy?

JC: This is an interesting question, because it can be pretty wide ranging. Many times, the security budget will hinge on the IT budget. Sometimes it is 10% of the IT budget. However, if you have a long-sustained IT budget and a new security program, there will be some catch-up costs that come into play. In that situation, some companies are willing to front load to get the program off the ground; others will try to stick to 10%.

On average, you’re looking at the security budget being a percent or two of company revenue. This will all depend on how much the security program plays in the business. Is it a profit center / business enabler? Or is it just a G&A line item? That said, security budgets do appear to be growing pretty quickly. When I first started, it was closer to 5% of the IT budget, but now I’ve even heard of it moving up to 15%.

MS: Are there any pitfalls to which one should be aware?

JC: Don’t lie. Don’t be afraid to give bad news. Be transparent. Be clear about your numbers, and make sure your numbers are accurate. Make sure you speak to the business and try not to interject your opinions.

Make sure to speak the board’s language. If you don’t make the effort to speak their language, they’re not going to make the effort to speak yours. In my experience, getting my MBA made all the difference in feeling confident in my ability to speak the board’s language. When I first started presenting to the board and didn’t have an MBA, I probably made a few of the mistakes I’ve mentioned here. But when I went through the courses in my MBA program, the conversation shifted a bit. I could walk through or talk to a balance sheet quickly and effectively. I spoke more about net present value (NPV) and internal rate of return (IRR) and related those things back to security. I didn’t have the base knowledge to understand the jargon before that.

MS: If the board doesn’t bite, what should the next steps be?

JC: If the board doesn’t bite, you didn’t do something right—you were ineffective. So take a step back and re-evaluate what you did and what could have been done differently. Consider getting formal “board training” or having another colleague with this experience give you feedback. I also wouldn’t be afraid to seek out a board member or someone outside of the organization who participates in boards as a mentor.

In addition, seek access to members of the board and ask them what their hesitation was. Was there something that you said or presented that made a difference? Many times, a board member will give you this feedback. Often, I’ve heard board members say that it was because they weren’t met with beforehand. In many cases, the actual board meeting is like a check box to give formal approval—but if you don’t have the pre-work done, it’s going to be tough to get that approval when you only have 15 minutes to make your case.

Conclusion

Ultimately, a successful board presentation is driven by a lot of preparation. Much of that preparation is in relationship building, as well as knowing your stuff when you get in front of the board of directors. However, if you can have pre-meetings with your board members to know where you stand and begin to establish their buy-in, you’ll have a much better shot at success than if you expect to win them over in your allotted 15 minutes.

Once you’ve conducted your “meetings before the meeting,” you’ve had a chance to get to know your board members, establish some relationship with them, and fine-tune your pitch based on their feedback. At that point, you’ll have a lot more confidence walking into the board room.

However, these touch points don’t mean that you shouldn’t prepare for the actual presentation. When you walk into that room, be succinct, but be prepared to go deeper. Speak the board’s language, be transparent, and focus on three elements: the financials, the risk to the business, and the impact to the business. If you do this, you’ll be set up for a strong presentation that is likely to be well received by your board.

Alliant Credit Union Automates Fraud Detection

Automation and Integration through Critical Security Controls

Streamline SecOps and Measure KPIs with LogRhythm Security Automation and Orchestration

Cybersecurity Advice for President-Elect Trump

The Definitive Guide to Security Intelligence and Analytics