Information Technology is a core business operation, it is now essential to most business operations. Technical staff – IT Mangers, Chief Information Officers, Chief Information System Officers now are being engaged by senior management and the board.
Working at this level, board members are from all backgrounds and experiences, and you may be lucky to have a single person who is versed in Information Technology – if you do, you are blessed. Flipside, you have to tailor your communication to that of persons who are not well versed in technology or security and speak in the language that they can understand, many times there is a gap between the technical jargon that IT speak and that of what the board can understand.
This breakdown in communication can have a cascade effect. Board members might fail to fully understand the security risks posed by a certain initiative. Or, with the growing number of costly and embarrassing cyber security issues, they might overemphasise caution and risk mitigation at the expense of implementing important technical advancements.
Working with Risk Committee’s and boards, I believe I have an understanding of how boards view risk and how to engage with them on these issues.
Strategy 1: Manage the “Fear Factor”
Managing the fear factor of what IT means, what happens when it goes wrong, how prepared we are for the bad events. It’s important to come prepared to address concerns around the uncommon issues/scenario’s that may occur, while putting those risks in perspective. At the same time, keeping the board and business stakeholders focused on the highest risks and most likely scenarios helps ensure that security resources go toward controlling what can be controlled. They have difference perspectives to what risk is that than of an operational stance.
Headline-grabbing cyber issues can draw a lot of attention from business stakeholders and board members who want to avoid finding themselves in similar circumstances. Not all cyber issues are created equal. These are can range from internal caused issues, like those due to misconfigured cloud services through to full blown ransomware attacks.
For CISOs, managing the fear factor is the first step toward successful interactions with the board.
Strategy 2: Operational Resilience
You need to communicate about current plans to keep the organisation operational – resilience. How we bounce back from issues, what are the plans and scenario’s that have been thought through and actions to remedy these.
- how the organisation will recover in the event of a breach,
- what measures are in place to react quickly,
- and how the IT Team can effectively investigate and use that knowledge to move forward in a more secure and intelligent way.
Strategy 3: Current and Future Plans – Mind the Gap
Be prepared to communicate to the board on what we are doing now, what position the organisation is at, what is best in class and steps to get there.
What frameworks does the Information Technology comply against, audit the operations against e.g. NIST (National Institute of Standards and Technology) programmatic, logical, and standardised way to evaluate the completeness of a security program against industry benchmarks.
Using these frameworks, you can provide a contextual overview of the current strategy ‘technologies in place’ such as next-gen firewall, SIEM, and endpoint protection) as well as the future strategy of IT in the context of the overall business strategy – ‘technologies you would like to they plan to implement to close gaps in their architecture’.
Strategy 4: Focus on Business Risks and Rewards
Working with the board to develop the IT Strategic Plan that is incorporate with in the overall organisation strategic plan for next period. Working on the goals of the organisation, with the view point on what IT can deliver to achieve these goals. Frame the IT technologies in terms of its ability to underpin and deliver, constantly think of the larger picture – including marketing, sales, customer engagement, profitability, cost savings and or reductions.
Strategy 5: Build a Road Map to “Yes”
Even as enterprise budgets get poured into security initiatives, at the board level security is often seen as a necessary evil, and sometimes an outright impediment to business operations. Almost everyone has a story about how some “draconian” security requirement prevented them from using a technology that to help them perform better in their job. This pain point gave rise to an entire category known as “Shadow IT” — itself a massive security headache.
For the board, these anecdotes can make members feel like security is diametrically opposed to innovation. This is why it’s critical for CISOs to come prepared with a road map for getting to “yes.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives, and talk about what security measures need to be in place to achieve them, it reframes the conversation around when not if.