February 12, 2019
It’s crucial to find the best ways to present your security strategies to the board of directors and push the importance of implementing a solid cyber security defence into the organisation.
87% of board members and C-level executives are not confident in their organisation’s level of cyber security.
Although cyber security is moving up in the world and organisations are becoming more aware on the importance of it; CISOs, IT Directors and Risk Managers often still brush the matter off and claim they don’t have enough of a budget to cover cyber security.
If you’re in charge of taking care and implementing the security strategies for the company – you will need to present your ideas to the BOD in a way that is rich, applicable and convincing.
Below you will find a number of effective tips to follow that will help you prepare and explain your cyber security strategies in a way that will get the BOD on board!
1. Familiarise yourself with members of the board
An effective pitch will always depend on how well you know your audience. Make sure you get to know each members’ background and position before going into the meeting, recognise their pain points and their general take on risk and security. The more you know them, the better you can relate to them and get your argument across.
2. Technical terms
The best way for the board to understand your pitch is if it is explained in simple terms. The CEO will most likely be unfamiliar with the latest security terms and technologies. Remember that you need to make this easy to follow and use relatable scenarios. Perhaps replace terms like SIEM and DDoS with realistic ideas such as risk management and security principles. Ensure you mention:
- Impact on finances
- Impact on business reputation
- Governance and responsibility
3. Contextualise your points
For the board members to truly clasp the core of what you’re saying, your points should be supported by real-life examples. The maturity level of your cyber security could be presented with a traffic light analogy or the impact of some cyber attacks can be highlighted with recent news articles that depict the consequences. You can even bring up some case studies of organisations like yours to display how data breaches have really affected them.
4. The security strategy should align with the overall business
Even with a convincing proposal, it will be pointless if it doesn’t align with the overall business strategy of the company. Your BOD will usually deal with the high-level strategy and every decision will be based on how it will help daily operations and if it is able to achieve objectives. Before pitching the security strategy, familiarise yourself with the overall strategy and goals of the company – your arguments should support these goals.
5. Don’t waffle about
The BOD only meets occasionally and their time is very valuable. Ensure your pitch only focuses on the critical elements and not on the “fluffy” bits of information. They only need to know what is important and by doing this the board member will appreciate your respect of their time and really remember the high value points that you want to get across.
6. Push what you want to achieve
Before starting the presentation, be sure to explain what your goal is and why you’re pitching this in the first place. The board member should know exactly what you’re trying to achieve.
- Do you need to agree on a new strategic direction for cyber security?
- Do you need a higher budget?
- Will you need additional resources?
- Do the board need to review and approve a new security policy?
7. Know the numbers
You should come prepared with all facts and figures. The BOD will most likely ask specific questions about where the company currently stands when it comes to cyber security and how they can measure the risk level.
You should come prepared with all these answers including numbers and statistics to bring your point to life. Knowing these numbers will contribute heavily towards convincing the board.
8. Sound and solid solutions
The BOD don’t want to be sat in a presentation listening to the number of issues within the organisation. Instead, present them with solutions relating to cyber security, tell them how these solutions will make life easier and benefit the organisation all at the same time.
For example, your pitch could include a list of 5 concrete strategies that you want to undertake, how much it will cost and how long they will take to implements. A high-level conversation is always a good starting point.
9. Demonstrate ROI
Be sure to explain how you pan on reporting on your projects and most importantly how you can demonstrate ROI to the organisation. It may be that you decide to conduct a cyber security assessment which evaluates where the organisation currently stands and in which direction it should be going. A solid progression within your cyber security maturity level can help win the board members over so they know this commitment to your plan has paid off.
If your arguments are on point, clear and relevant while being linked to business operations then you stand better chances of getting the necessary contribution from the board and get on track to implementing a good security strategy.
Note…
If your arguments are on point, clear and relevant while being linked to business operations then you stand better chances of getting the necessary contribution from the board and get on track to implementing a good security strategy.
Related articles:
- Know your enemy: What motivates a cyber criminal?
- Cyber security awareness training: What is it?
- Cyber Essentials vs Cyber Essentials PLUS: What’s the difference?
- Best practice password policy recommendations
- INFOGRAPHIC: Malware examples: What are the different types?
- 6 steps to a successful cyber security improvement programme
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.