Decoding the Boardroom: A Fortune 500 CISO’s Guide to Winning Hearts and Budgets
In the high-stakes world of cybersecurity, one of the most daunting challenges faced by CISOs is the task of persuading their organization to invest in security capability. But in an age of worker shortages, cost-cutting measures, and a surge in third-party cyber risk at the enterprise level, CISOs need to get this message across urgently. As a result, it’s imperative for CISOs to learn how to speak the language of their boards and stakeholders, oh by the way…it’s not cyber risk probability! Board members and business stakeholders prefer economic terminology over tech talk.
The Designated Board Geek is Your Friend
Before delving into the specifics of cybersecurity investments, it’s crucial to understand your audience — the board of directors. The board typically consists of individuals with varying levels of technical knowledge. Those board members with comfort in technical acumen and experience evolve to a “Designated Board Geek” (DBG). The DBG is informally selected to vet deep technical issues not well understood by the remaining board members. Use the DBG to your advantage by requesting one-to-one time with them to review the board material and answer questions at a level preferred by the DBG. During the subsequent board meeting, give the DBG the opportunity to answer questions from other board members based on the pre-briefing you did with them. Your credibility will improve with the board as a whole and you should focus on storytelling as a technique. People remember facts in stories more easily than facts in presentation bullet points.
Establish the business case
Your job, as a CISO, is to allocate scarce resources to the highest risks at enterprise scale. It may look easy to others, but it’s very challenging to balance short-term with long-term benefits. Cyber resilience at enterprise scale requires specific behaviors and practices along with a cultural norm of stepping up to solve problems rather than avoiding them. Build a business case on economic benefits vs. risk mitigation.
As an example, if you are seeking investment in near real-time data feeding a supply chain management process that involves software implementation, then focus on the resulting increase in productivity and capability without increasing staff. CFOs, CIOs and CEOs are quite familiar with the need to invest in change to achieve a better balance of operational costs and productivity gains over time. Using risk probability as the foundation for the business case is introducing something foreign (not well understood) to the norm. A better approach is to clearly lay out the investment request applied against a reduction in the total cost of IT ownership or the productivity gain for an existing function that does not need more staff.
Identify regulatory compliance
Many industries are subject to specific regulations and compliance requirements related to data protection and cybersecurity. Board members prefer that you demonstrate awareness of the legal obligations the company faces. For instance, earlier this year the U.S. Securities and Exchange Commission (SEC) released a set of regulations requiring publicly-traded companies to disclose new details about cyberattacks, as well as cybersecurity oversight at the board level. This includes third parties that may experience a security incident impacting customers and enterprises like Solar Winds.
KPIs that matter: The power of Security Ratings
You can’t fix what you can’t measure, and you can’t report on what you can’t measure. CISOs must use key performance indicators (KPIs) to measure business outcomes and the effectiveness of the underlying or embedded controls. Security Ratings provide a standardized measure of the cyber health of an organization. They provide a greater level of transparency, while enabling both board members and security practitioners to speak a common language (business outcomes) and identify opportunities to improve on vulnerabilities.
SecurityScorecard’s report with the Cyentia Institute found that 98% of organizations worldwide have a relationship with at least one third-party vendor that’s been breached in the last two years.
By operationalizing Security Ratings, in addition to a robust third-party risk management program, CISOs will be able to communicate to the board that cyber risk is being managed and that cybersecurity investments are paying dividends. The key is to adjust the third-party governance program to import near real-time data on third parties and trigger automated workflows to manage the additive risk for the third party, or for a category of third parties with the same risk profile.
Show me the money: Demonstrating ROI in Cybersecurity
Now, let’s talk about the money. Explain how every dollar invested in cybersecurity either increases productivity, lowers operating cost, or reduces the total cost of IT ownership (hardware+software+software support, which includes vulnerability management) which is largely resource capacity for tech support. This can lead to better utilization of talent and also lower annual insurance premiums. By illustrating the financial gains, your pitch to stakeholders—and ultimately the board—will be understood and embraced.
In the world of cybersecurity, your ability to articulate the case for investment is paramount. By understanding your audience, building a compelling business case, and engaging in meaningful dialogue (storytelling), you can make the case for the essential investments to manage cyber risk. An informed and supportive board is the linchpin to the cyber resilience and the prosperity of your organization.