By James Carder, CSO, LogRhythm
To receive critical funding, today’s modern CISOs must be able to demonstrate the ROI of their security strategy in a way that aligns with the business goals and objectives that matter most to their organization’s board. This means educating board members on the business value of the security program by not only articulating their organization’s risk posture and the efficacy of their security program but also explaining how their approach protects the business’ bottom line.
Understand the audience
The first critical step towards gaining support for the security team and strategy is to consider what your audience cares about and what their goals may be. For your board members, their main priority is likely to maximize shareholder returns and better understand how the organization can be successfully managed. Consequently, it is common for most discussions to revolve around cost-efficiencies and revenue generation. Ultimately, clearly and succinctly presenting the ROI of the security plan rather than getting into the weeds of technical jargon will help CISOs establish a shared understanding of how they reduce their organization’s risk and the value the security program provides to the business.
With any presentation, it is necessary to do research and prepare in advance. That means understanding who each board member is, building rapport, and identifying their goals, concerns, and shared interests. One-on-one meetings with key board members, if possible, are extremely valuable to this goal. In doing so, CISOs can craft a presentation that resonates with each member and provide anecdotal, background information to build mutual understanding. Then, CISOs can transform board members into security champions and generate lines of communication that extend beyond quarterly meetings.
Know the business
Today’s CISOs must wear multiple hats and are expected to understand the ins and outs of the business, including its culture, customers, model, drivers, and corporate goals and objectives. While security is their priority, CISOs must first understand what is important to the business and then layer the security strategy in line with those objectives.
Tailoring plans to the organization’s upcoming fiscal or five-year plan will demonstrate a keen understanding of the core business, how security fits in with the overall strategy and how it will safeguard the success of that strategy. Focusing on the current industry trends and associated organizational risks also displays how the security vision will benefit the company during times of transformation.
Avoid the FUD strategy
Fear, uncertainty and doubt (FUD) may be successful in certain contexts, but it is likely to hinder relationships with the board. While there is undoubtedly some uneasiness and anxiety when it comes to data breaches and infrastructure leaks, the CISO’s job is to assuage those fears and highlight how the specific plan of attack makes the business safer and more prosperous. Focusing on the negatives or “what if” scenarios will create a sense of fear mongering that can be hard to shake.
As the primary security expert in the room, incorporating relevant statistics, source materials and case studies will help educate board members and build credibility.
Clearly communicate the “why”
Avoid communication breakdowns at all costs. These individuals likely have a limited security background and understanding. Thus, it is critical to explain things as simply and clearly as possible to avoid confusion.
One way to achieve this is by including a summary of key issues that function in tandem with the presentation. Scores, metrics, charts and figures can better illustrate the current state and proposed trajectory.
Suppose the board has invested funds into the security program recently. CISOs need to highlight how the investments have impacted business performance, making sure that the enterprise is the focal point of the discussion. This is an excellent opportunity to go over timelines, key wins, progress and how risk reduction projects are advancing relative to budget.
Factor in compliance
Most corporations face a unique set of regulatory requirements depending on the specific industry they are operating within, making it important to factor in when developing security programs. From an organizational standpoint, these are often hardline regulations that shape standard practices across the business. Having a keen understanding of governing bodies, laws, standards and regulations will help avoid negligence and noncompliance. This will further appeal to board members and highlight that the division is in lockstep with industry requirements to ensure compliance.
The more aligned CISOs are with the values of the board, the more likely they are to gain the support of the board members to build a successful security program. CISOs should factor in who the board members are and tailor discussions to how the security model will safely reduce risk and cost, generate ROI and ultimately improve the bottom line.