CISO Guide: How to Win Board Members and Influence Business StrategyEffectively linking security strategy to business strategy can not only establish your seat in the boardroom, but help you successfully use it By: Secureworks
As a key indicator that C-suites are investing more of their time and attention in information security risk mitigation, the modern day security leader is becoming an established contributor to Executive Management and the Board of Directors’ meeting agendas. As a result, security risk management and monitoring reports provided by security leadership have never been more essential and consequential to business strategy decisions and in turn to IT, security strategy and program controls.
Unfortunately, security leaders often still struggle to establish a seat at the table in those meetings or fail to use that seat effectively by linking security strategy to business strategy. Many security leaders still speak in terms of technology risks and specific security vulnerabilities and establish policies around those risks without aligning their security goals to the business.
When the security function operates in misalignment with the business, it may earn the dubious reputation as a source of competing priorities that hamper growth and productivity. In turn, this results in a missed opportunity to leverage the security leader’s role to the benefit of the business, sidelining that individual as a technical specialist instead of a business enabler whose information security strategy makes growth opportunities possible within tolerance.
Top 3 Changes Security Leadership Must Make to Earn a Seat at the Table and Get Things Done
- Understand Your Board’s Business Strategy
- Make Your InfoSec Plan More Inclusive, Understandable and Measurable
- Communicate with Board Members What They Need to Hear
The Most Successful CISOs Understand their Board’s Business Strategy
Perhaps the most important things a security leader can do is understand the business strategy and establish collaborative relationships with select functional leaders throughout the company, specifically those who are instrumental in keeping business and security goals aligned. Learning the challenges of the business and understanding its strategic initiatives is key to showing leadership they can rely on the security function to be a part of the business effort and not a hindrance to it.
Security doesn’t necessarily need to be aligned with all business functions, but it is important to establish partnerships with key leaders and departments who share similar goals for managing business risk or whose functions represent the greatest impact to security operations and strategy.
Many successful CISOs find themselves spending as much time with legal, HR and audit as they do with their own IT colleagues and direct security reports. Legal and Internal Audit are two important areas of the business to align with in order to prioritize top business risks in terms of impact and likelihood of them occurring, as well as whether controls are adequate. This helps the security leader to work with risk owners so that they can establish what is most important and what to focus on first as a result.
Percentage of senior leadership that views cybersecurity as a strategic priority
Being able to speak a common language (more business than technical) with other functional leaders is critical to establishing internal alliances that support security strategy and initiatives. Finding common language around business goals and challenges and then linking security initiatives helps foster cohesion so business leaders can make decisions in the context of the company’s cybersecurity risk tolerance rather than in the limited context of their respective function. As one former CISO put it: “I knew I’d achieved that trust level when Executive Management or the Board asked for something to be executed and the business functions involved said: ‘We want security leadership to look at it and approve it first.’”
Develop an Information Security Plan That Is Inclusive, Understandable and Measurable
Understanding the business is one thing; building an information security strategic plan around it is another. Many times security leadership cannot establish a seat at the table because they don’t have a long-term plan that aligns to the needs and aspirations of the business. Or they fail to recognize the company’s tolerance for specific risks related to important strategic goals. Granted, it takes time to establish an initial plan; however, once established, executive leadership will expect that the plan is focused on mitigating the most likely business risks from a breach without unduly hampering critical opportunities for growth and productivity.
Inclusion is a key factor in establishing the information security program plan and gaining support for it. Engaging the entire business on high-level initiatives and creating an understanding of how the success of each works interdependently between business functions is vital to the program’s success. For example, take a look at a quick high-level overview of an initiative for a data breach response plan:
Data Breach Response Checklist:
- Implement security awareness and training for all employees.
- Communicate the business risks regularly to management.
- Integrate the incident response plan with the crisis management team plan.
- Test your response plan with real scenarios, include C-suite and Board.
- Do you have the right visibility and logs now to aid forensics later?
- Incident responders should be on retainer now, not later.
Notice the inclusion that interconnects with multiple business units and includes executive management and the board. This level of inclusion is essential to success.
For the security strategic plan itself, typically a multiyear plan is suggested (three is standard) in order to effectively demonstrate that it prioritizes alignment with business strategy. When establishing the plan, there are five considerations to effectively make its case for approval:
The 5 Keys of an Effective Security Plan
- Link top initiatives to top business risks.
- Know who the key stakeholders are and understand their stake in the initiative.
- Develop a common language across the business for communicating the risk (example below).
- Communicate the value of early response capabilities in reducing cost of a breach.
- Ensure the plan helps Senior Management make more informed decisions about the business risks.
Once the plan has been established, it’s time to develop the information security roadmap. Though it may seem too simplistic, creating a visual that can be presented to executive management and the board is an effective way to show progress as well as future initiatives. By creating a timeline trajectory, Executive Management is able to ensure alignment with their priorities and measure the security function’s progress over time.
For the security roadmap itself, you want a simplified version with your top three to five priorities to present in Board meetings or to the CEO. From that high-level roadmap, security leaders can develop more specific plans for further clarification to executive management as needed.
Important: Articulate your top three to five priority initiatives on a timeline
Revisit them each time you report. Keep it simple.
Communicate with Board Members What They Need to Hear
All boards differ from organization to organization. Depending on the size of the company, the industry and the general makeup of the members of the board, what one Board wants to hear in one organization can differ dramatically to another. Therefore, how do you ensure the content of your cybersecurity presentations properly align?
In recent research, there were three consistent recommendations among Board Members interviewed across various organizations of different size and industry.
- Establish a 1:1 (or “personal”) relationship
- Show the forensics of an attack (non-technical)
- Benchmark against others and your own current state of security
Establishing a 1:1 Relationship
The number one suggestion from board members interviewed to security leadership was overwhelmingly to establish a more informal relationship. Lunches or a dinner after work went a long way to establishing an understanding as to backgrounds, affiliations, industry experience and risk appetite. Board members also noted to remember that they are human, and they have the same thoughts and fears that any other person does. Additionally, many stated that they cared deeply on a personal level about the employees that rely on their decisions and the clients they serve. It is easy to treat board members with kid gloves, but humanizing your interactions with them and recognizing their points of view will help them retain the messages you’re trying to get across.
Ultimately, their end goal aligns with that of the security leader: protect the company and safeguard its success. It’s just the approach from each side that is different, with Board Members focused on risk oversight in the context of the company overall, while security leaders are focused on managing security risk on the front lines. What’s more, though some board members come with expertise in specific areas like finance, science or technology, many are former CEOs who were elected for their overall leadership qualities and experience making difficult strategic decisions. They will want to make decisions within the context of the big picture for the company. Once the security leader can understand each board member’s approach, it will be easier to communicate security priorities in a way with which the board can relate, in turn providing value and increasing their confidence in security decision making.
Show the Forensics of a Cyber Attack
What would happen if executive management or a board member swung by your office, referenced a recent data breach in the news and asked if this would happen to you? Many times the answer is lies between yes and no and is followed up with technical jargon, and the business leader, looking for peace of mind, is often left without confidence in the ability to avoid such incidences. How would you present a security vulnerability in a board meeting that is on your roadmap of key initiatives? What are the key metrics that you should communicate, and what should they be aware of to track? How do you make that very understandable in terms of how that maps to business risk?
An invaluable technique in board meetings is to provide cyber forensics information in a nontechnical, more digestible manner. For example, let’ say there has been an attack on the office of personnel management. Here are some questions to answer that will paint a realistic and clear presentation of the situation:
- What happened?
- What was the vulnerability?
- How did they get in?
- What was the result?
- What are we doing about it?
- What do we need to do about it and what is our enterprise’s current ability to ward off the threat?
This non-technical overview puts a potential attack into real context that it could become headline news. This exercise can map to a board’s security risk appetite and in turn help a security leader move forward on priority initiatives.
Long-term business impact of a data breach
Benchmark Against Others and Your Current State
Board members interviewed stated that a key to their understanding of security and supporting initiatives is to regularly conduct external security benchmarking. The first of two ways to do this is by industry. Using a third-party assessor that is familiar with the organization’s industry, they can establish the organization's current state and compare key metrics against best practices of others. Granted, some security leaders are averse to this approach in fear that it illuminates vulnerabilities and weaknesses in the information security program without context, such as the company’s own unique internal environment. However, board members noted that understanding where they stand relative to state-of-the-art programs within their industry or peer group helped them to understand how much risk they are exposed to as well as how stakeholders may perceive their level of risk and effort to mitigate.
The other benchmark boards want to see is the company’s current state relative to the last time it was measured. Engaging a third-party to assess risks and test for vulnerabilities is not a one-time exercise but rather an important metric for boards to fulfill their risk oversight responsibilities. As with the financial risk function, the comparison of risk levels over time is more important than the moment-in-time snapshot that compliance controls provide.
While these tips only serve as a sampling for security leaders to help establish a seat at the table, research has shown that a combination of these efforts at the macro level is a powerful approach to help increase awareness and cohesion amongst business functions, Executive Management and the board in support of the security agenda. When thinking about the security leader role and the relationship it has with related business functions, remember to account for the checklist below as a guide to help establish a seat at the table and use it effectively:
- Define your bottom line. What is the action you need to initiate?
- Understand the business
- Build relationships and trust; know your audience – research, engage, and facilitate dialogue
- Map initiatives to the desired outcomes
- Outline 1-3 desired outcomes on your roadmap
- Benchmark for credibility
- Define how you’re measuring effectiveness
- Be prepared for unexpected questions