As cybersecurity risks rise, cyber criminals become savvier, and cyberattacks continue to negatively impact business, the topic of cybersecurity frequently makes its way to the boardroom. Not only are cautious C-suite executives, officers, board members and directors asking their CIO, CTO and CISO colleagues tough questions, but they are also engaging them in strategic planning sessions and high-stakes business decisions more often than ever before.
As a technology or cybersecurity leader, you will inevitably need to face the board at some point during your career. Therefore, you may want to prepare yourself for business-driven, board-room-level discussions sooner rather than later. When you do face your board, you will want to ensure that you can succinctly—and at a high-level—describe the value that your technology investments will deliver to the business. As your boardroom appearances continue, you will want to prepare to:
Whether your company is bringing a new product to market, dealing with regulatory or compliance mandates, or preparing to differentiate itself in the market with a disruptive offering, your board members and other top leaders will continue to look to you to ensure they are doing it as securely as possible.
If you have spent much of your career in the server room or behind a computer, you may not feel comfortable participating in these types of discussions. As a technologist or cybersecurity expert, you may know every intricacy of the latest malware virus, but your board will want to know: How is it going to impact company revenue? Or, how will the new technology spend you’re proposing help us attract or retain customers, or improve our market share? If you are surprised the board is not approving your funding when you tell them about your multi-protocol labeled switching network—you are not truly boardroom ready. However, with a shift in focus toward business drivers, proper preparation, and even coaching from a professional advisor, you can get there.
Spurring board interest with business drivers and more
To define what resonates with your board members, you may want to start by looking at your company’s existing business drivers. Once you understand the specifics that are top-of-mind for your board members, you can then use this knowledge as a catalyst to map to your desired security initiatives. Perhaps your company wants to expand to the European Union. In that case, you might focus on ways to enhance your GDPR compliance. If your company has a heightened awareness for brand protection, your main focus may be on ensuring effective ransomware protection.
Next, consider threat modeling to see what your key cyber risks are, and what security technologies you will need to support them. Threat modeling is basically an understanding of:
For instance, if you are a CISO at a petroleum company, you may face different threat actors than those at a typical manufacturing company. Threat modeling for a petroleum company might include specific environmental variables or regional considerations. Is your company located in North America? Or, do you have sites in other countries, and are any of those countries hostile? Understanding your threats, both current and emerging, builds awareness around the type of risk, and amount of risk, your company can tolerate. If you are in the defense industry, or in high-speed trading, and your cybersecurity precautions go awry, your whole business can be destroyed overnight. Whereas, if you’re in the mining industry and your computers go down, your company can still use its trucks to dig out gravel.
Board members will appreciate that you have taken the time to define your company’s risk tolerance, because risk tolerance will dictate the level of cybersecurity maturity you need—and that corelates to how much you will need to spend.
After you have defined your business drivers, conducted threat modeling, identified your company’s risk tolerance, and determined its desired level of maturity, you will want to develop a roadmap. A roadmap is a tool that will allow you to see where you are and where you need to go over the next several months. Defined steps will help you achieve various milestones in order to reach your long-term goals over the next several years. However, for any of that to happen, you are going to need board approval, and that is where you will really want to ensure you are boardroom ready—when you are requesting funding.
Preparing your boardroom pitch
When you are getting ready to face top decision makers to ask for the funding or people you need to support your cyber initiatives, you may want to consider engaging a professional, third-party cybersecurity advisor. Working with such a company will give you access to experts with decades of experience in helping technologists like you prepare a dynamic, compelling boardroom pitch that answers why your proposal is important. Outside guidance may help you better consolidate your thoughts, technical jargon, software/hardware tools, controls, policies and procedures into a high-level, data-driven, results-generating presentation that resonates with your key decision-makers and moves them into action.
Professional consultants will help you answer “Why it matters.” For instance, when you tell your board you can reduce the risk of loss of sensitive customer data, and you are able to back that up with facts about competitor ABC that recently lost a million client records, including names, phone numbers and credit card information, you will get their attention. Then, if you also know company ABC paid substantial fines, and lost business because their customers lost trust in them, and you can prove this because of the recent drop in their stock price over the course of the last quarter, contrary to the overall market, suddenly your board members will be leaning in.
Top tips to ensure boardroom success
Whether you have not yet presented to the board, or you are a professional who faces the boardroom frequently, these tips will help you brush up on your boardroom game.
Ultimately, when you are able to show the board how you can help differentiate your products or services from the competition because your offerings are more secure, and that helps drive revenue growth and client acquisition—it’s a win-win for you and the board.
Kurt is also co-founder and Managing Director of the Automotive Cyber Security Network (ACSN), a forum for automotive industry professionals to connect, exchange knowledge and engage in a community focused on securing the automotive sector. Kurt has more than 25 years of management experience, including 13 years leading global teams in the automotive industry.