Now more than ever, Chief Information Security Officers (CISOs) are finding themselves in the boardroom presenting the security strategy before the board of directors. Recent high-profile ransomware attacks like NotPetya and WannaCry are creating a place for cybersecurity in these meetings. Boardrooms are buzzing with questions like “how are breaches happening?” “how will they impact us?” or “how can we prevent ourselves from getting breached?”
The CISOs are expected to deliver information on the cybersecurity policies, risks, threats, and incident response (IR) plans to stakeholders and other participants who may not have the technical understanding that they do.
“By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity.” – Gartner [1]
In the presence of a non-technical audience, CISOs struggle while explaining the complex issues of technical nature like what data was compromised, how kill chain technology helps, and much more. Instead, they concentrate on managerial topics like security strategies, budgeting, resource requirements, and more.
“Boards are becoming increasingly interested in security and risk management; however, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” says Rob McMillan, research director. [1]
While a detailed security report is beneficial for CISO, focusing on the following points will make their audience attentive:
- Stick to the Facts
CISOs can present their technical efficiency and preparedness in dealing with cyber incidents. However, the board is more interested in knowing the real facts like the cost involved yearly, the impact of the proposed plan, volume of risk, and more. Bringing hard facts to real monetary terms would convince board members better than any technical explanation.
- Speak the Language That Is Understood
CISOs should learn who their audience is before working on their presentation. They should prepare to present in a format understood by the board members. Usually, board members can follow graphs or bar diagrams that are used to represent progress, investment, productivity, and challenges. The board of directors are no doubt, knowledgeable leaders. However, they lack technical knowledge, especially when talking about the product life cycle, networks, or systems. While explaining the new security plan, instead of talking about the technical aspects of it, the CISO must concentrate on how the plan will benefit and improve productivity and revenue. Cut down on irrelevant information and security jargons and be prepared to answer questions.
- Present Action Plan
Board of members will be keenly interested to know the cohesive action plan rather than understanding the technical requirements. CISOs should able to explain the concept of drafting a new security strategy, budgetary needs, and staffing services. They should present the plan to obtain approval from the board members.
- Share Staffing Needs
CISOs are aware that there is a shortage of skilled workforce in cybersecurity. They also understand that having the right team is crucial to implement security operations. CISOs should be ready to take on the challenge of acquiring new talent in the cybersecurity team and also propose a realistic solution.
- Be Realistic About the Budget
CISOs are not just cybersecurity leaders but represent management too. They should visualize every plan from the management perspective and should be prepared to discuss the security budget in comparison to industry peers. When sharing budget needs, CISOs must be clear in what they are asking for and the efforts that they are going to generate without being too lofty with their ambitions. They should create an impression that they are focused on the overall business’s bottom line.
- Consider the Consequences
When making recommendations to the board, CISOs must develop confidence while delivering the action plan. They should address how a potential attack can ruin loyalty among their clients and bring major financial loss. There are many obligations like the EU General Data Protection Regulation (GDPR) and other legal enforcements that enhance the requirement of the cybersecurity team. CISOs can highlight law amendments and would explain how their organization can give preferred customer service when executing the obligations defined by law. Simultaneously, they must explain the consequences of neglecting the law and how it impacts the company’s goodwill and fines
Well-thought-out facts, when delivered with confidence, gains approval in board meetings. Beyond being a C-suite member, CISOs are the educators and experts to teach the board of directors the significance of cybersecurity role in an organization.
Become a Competent CISO Now!
CISOs are c-suite professionals and are expected to be highly experienced and qualified. They should hold a Masters degree and have relevant management experience to show their qualifications. EC-Council University offers a Master of Science in Cybersecurity, an online program with a specialization in Executive Leadership in Information Assurance. The specialization focuses on providing the fundamental skills that are required to understand global leadership concepts and packed with key components required to be a successful CISO. To make the student industry-ready, the two-year master program comes with three certifications of EC-Council including the Certified Chief Information Security Officer (C|CISO). There are more to learn in detail from our website.
EC-Council University (EECU) provides 100% online, flexible time and place, practitioner faculty-led, iLab supported, accredited programs in cybersecurity. The programs will equip graduates with the knowledge to assess the latest IT security risks and expert skills to handle them successfully. The university offers undergraduate and graduate programs. The Bachelor of Science in Cyber Security (BSCS) gives required exposure, builds cybersecurity skills, and develops leadership abilities that help students to grow as a cybersecurity professional. Master of Science in Cyber Security (MSCS) and graduate certificate programs help students gain expertise in industry-recognized skills and help gain domain knowledge to stand ahead in competitive career advancements. ECCU programs allow for students to sit for EC-Council certifications when courses that cover such topics are taken. Transfer credit for many cybersecurity certifications and past college courses is granted as applicable to programs of study.
ECCU is accredited by the Distance Education Accrediting Commission (DEAC) which is a recognized accrediting agency by the U.S. Department of Education and is also an acknowledged member of the Council for Higher Education Accreditation (CHEA).
Source: