Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
March 26, 2020
Ready, Set, GO into the Boardroom and Win

As cybersecurity risks rise, cyber criminals become savvier, and cyberattacks continue to negatively impact business, the topic of cybersecurity frequently makes its way to the boardroom. Not only are cautious C-suite executives, officers, board members and directors asking their CIO, CTO and CISO colleagues tough questions, but they are also engaging them in strategic planning sessions and high-stakes business decisions more often than ever before.

As a technology or cybersecurity leader, you will inevitably need to face the board at some point during your career. Therefore, you may want to prepare yourself for business-driven, board-room-level discussions sooner rather than later. When you do face your board, you will want to ensure that you can succinctly—and at a high-level—describe the value that your technology investments will deliver to the business. As your boardroom appearances continue, you will want to prepare to:

  • discuss technology trends comfortably
  • show how these trends can enhance business value and reduce costs
  • describe how emerging technologies are impacting the competitive market
  • define the risks and challenges your company is experiencing
  • help assess and enhance your company’s overall cybersecurity readiness

Whether your company is bringing a new product to market, dealing with regulatory or compliance mandates, or preparing to differentiate itself in the market with a disruptive offering, your board members and other top leaders will continue to look to you to ensure they are doing it as securely as possible.

If you have spent much of your career in the server room or behind a computer, you may not feel comfortable participating in these types of discussions. As a technologist or cybersecurity expert, you may know every intricacy of the latest malware virus, but your board will want to know: How is it going to impact company revenue? Or, how will the new technology spend you’re proposing help us attract or retain customers, or improve our market share? If you are surprised the board is not approving your funding when you tell them about your multi-protocol labeled switching network—you are not truly boardroom ready. However, with a shift in focus toward business drivers, proper preparation, and even coaching from a professional advisor, you can get there.

Spurring board interest with business drivers and more
To define what resonates with your board members, you may want to start by looking at your company’s existing business drivers. Once you understand the specifics that are top-of-mind for your board members, you can then use this knowledge as a catalyst to map to your desired security initiatives. Perhaps your company wants to expand to the European Union. In that case, you might focus on ways to enhance your GDPR compliance. If your company has a heightened awareness for brand protection, your main focus may be on ensuring effective ransomware protection.

Next, consider threat modeling to see what your key cyber risks are, and what security technologies you will need to support them. Threat modeling is basically an understanding of:

  • What malicious adversaries are coming at you?
  • How are they are coming at you?
  • And what is it are they after?

For instance, if you are a CISO at a petroleum company, you may face different threat actors than those at a typical manufacturing company. Threat modeling for a petroleum company might include specific environmental variables or regional considerations. Is your company located in North America? Or, do you have sites in other countries, and are any of those countries hostile? Understanding your threats, both current and emerging, builds awareness around the type of risk, and amount of risk, your company can tolerate. If you are in the defense industry, or in high-speed trading, and your cybersecurity precautions go awry, your whole business can be destroyed overnight. Whereas, if you’re in the mining industry and your computers go down, your company can still use its trucks to dig out gravel.

Board members will appreciate that you have taken the time to define your company’s risk tolerance, because risk tolerance will dictate the level of cybersecurity maturity you need—and that corelates to how much you will need to spend.

After you have defined your business drivers, conducted threat modeling, identified your company’s risk tolerance, and determined its desired level of maturity, you will want to develop a roadmap. A roadmap is a tool that will allow you to see where you are and where you need to go over the next several months. Defined steps will help you achieve various milestones in order to reach your long-term goals over the next several years. However, for any of that to happen, you are going to need board approval, and that is where you will really want to ensure you are boardroom ready—when you are requesting funding.

Preparing your boardroom pitch
When you are getting ready to face top decision makers to ask for the funding or people you need to support your cyber initiatives, you may want to consider engaging a professional, third-party cybersecurity advisor. Working with such a company will give you access to experts with decades of experience in helping technologists like you prepare a dynamic, compelling boardroom pitch that answers why your proposal is important. Outside guidance may help you better consolidate your thoughts, technical jargon, software/hardware tools, controls, policies and procedures into a high-level, data-driven, results-generating presentation that resonates with your key decision-makers and moves them into action.

Professional consultants will help you answer “Why it matters.” For instance, when you tell your board you can reduce the risk of loss of sensitive customer data, and you are able to back that up with facts about competitor ABC that recently lost a million client records, including names, phone numbers and credit card information, you will get their attention. Then, if you also know company ABC paid substantial fines, and lost business because their customers lost trust in them, and you can prove this because of the recent drop in their stock price over the course of the last quarter, contrary to the overall market, suddenly your board members will be leaning in.

Top tips to ensure boardroom success

Whether you have not yet presented to the board, or you are a professional who faces the boardroom frequently, these tips will help you brush up on your boardroom game.

  1. Understand your business drivers
  2. Build value that maps back to those drivers
  3. Keep things simple, avoiding technical talk
  4. Be clear on what you are requesting
  5. Be succinct about WHY (Why should the board say yes to your request? It is going to generate more profit, differentiate your goods or services? Is it going to allow your company to comply with the law?)
  6. Anticipate five levels of questioning that may include possible roadblocks or objections your board may raise
  7. Rehearse more than you think you need
  8. Know your audience, anticipating what may resonate with them based on their perspective

Ultimately, when you are able to show the board how you can help differentiate your products or services from the competition because your offerings are more secure, and that helps drive revenue growth and client acquisition—it’s a win-win for you and the board.

About the Authors
Kurt Gollinger
COO
Kurt Gollinger is Chief Operating Officer and a member of the corporate Executive Committee, at CBI. He joined CBI in April 2018, bringing more than 20 years of business, technology and executive leadership experience to his role with the company. Kurt is responsible for the management of CBI operations, supporting sales and marketing, information technology, cyber security, finance, human resources and service delivery. Prior to CBI, Kurt was Chief Technology Officer North America at Fiat Chrysler, serving as the bridge between the technologists and business functions, building and managing the necessary infrastructure to enable corporate objectives. In his role as CTO, Kurt was responsible for the development and management of technology projects, cloud technologies, data centers and networks. Before joining FCA, Kurt also spent 12 years at Samsung-Harman, responsible for global information technology infrastructure and operations in 25 countries with a diverse team of technology, operations and business professionals. He also successfully completed an expat assignment in Germany, leading an ambitious transformation initiative.
CBI - Shaun Bertrand
Shaun Bertrand
Senior Vice President, Security Programs
Shaun Bertrand leads the Red Team, CBI’s Advanced Testing Services practice. Shaun brings over 20 years of experience in the information security field with a core focus of providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi