Now more than ever, Chief Information Security Officers (CISOs) are going to have to answer some very tough questions not only from their CEOs, but from their Boards of Directors as well. Given the current state of flux in many companies, budgets have become tighter than ever before. If, as CISO, you want more money added to your budget, you will have to justify additional spending in nearly every area category.
In this article, we examine some of the key points you’ll need to articulate to sway the Board of Directors in your favor.
What You’ll Need to Address
The first thing to determine is the specific level of cyber risk your team is facing at the present time. Yes, there are a lot of fancy methodologies that you can use, but your Board of Directors is not going to care about that. All that matters is that you define a set of categories and numbers that clearly demonstrate what the business impact and potential financial expense could be if your company is hit with a cyberattack.
Whatever you present to the Board should be easy for them to grasp in a matter of minutes. Of course, if there are any gaps in your company’s cybersecurity posture, they will also want to know how you plan to remedy them and what the solution might cost the company.
Here are some key areas that you will want to explain to the Board of Directors:
- Where the digital assets lie and which are most vulnerable. As a CISO, you are not going to have time to go through where each and every one of them reside. All you really need to present is where the most important digital assets reside at, and of those, which are the most vulnerable, and of course why. Your Board of Directors will also want to know about where the security controls lie at in order to mitigate this exposure of vulnerability.
- Compare your company against industry benchmarks. After you have presented the above information, your next major task will be to show just where your company stands in the cyber risk spectrum when compared to other entities in your industry. Presenting and demonstrating these findings will balance out your findings that are specific to your own company. This comparison may quell any reservations your Board of Directors has about increasing your cybersecurity budget. For example, if you can show that your company is far ahead of other companies in terms of being proactive in mitigating the level of cyber risk, that will reflect well on you and the current approaches you are taking.
- Demonstrate what is and what is not As a CISO, your natural tendency will be to present only those things that are working well, especially when it comes to the controls that you are currently using. But be prepared: you will also be asked what is not working. One of the key questions you need to address is how additional funding will help you strengthen any weak controls that are being used to protect those most vulnerable assets. Pointing out what isn’t working well can be a source of anxiety for any CISO, but it need not be. Keep in mind that some things will work well, and others won’t, for a variety of reasons. Consider your presentation an opportunity to make your case for extra funding and be ready to explain how additional resources will be used to shore up your current lines of defense.
- Present the advantages of automation and adequate staffing. No business wants to be at risk of a security breach, and all CISOs would like to see their company’s risk at a level of zero. But the bottom line is that this is impossible to achieve. Therefore, you need to present a plan to your Board of Directors that will clearly demonstrate how you plan to reduce your current level of cyber risk to what is acceptable (and even exceptional) according to your industry standards, if you are not there are already. In this regard, the two things that you must incorporate are the use of automation and filling in your cybersecurity staffing needs. With the former, you must demonstrate how the use of artificial intelligence (AI) and machine learning (ML) packages can actually help your IT security team become more proactive in their work. For example, AI and ML will help filter out any false positives, and thus, only present legitimate warnings and messages. This will help your team to react much faster to those prevalent threat vectors, which will in turn help to decrease your overall level of Cyber Risk over a period of time. With regards to staffing, all IT security teams are being stretched to their breaking points due to the longevity of the remote workforce. Therefore, you will also need to make a case for hiring more qualified workers. You can use this to your advantage by succinctly stating that the extra manpower can be used to augment your existing staff so that they can keep up with remediating the security issues are cropping up on a daily basis, thus decreasing your company’s overall level of cyber risk in the long term.
This article has provided some insight into what you specifically need to bring to the table when presenting the issue of cyber risk and budget to your Board of Directors. The key items that you need to remember when presenting to the Board are as follows:
- Keep your findings short, to the point, and easy to understand.
- Qquantify your findings, the expenses that will be associated with them, and how those funds will be distributed to bring down your current level of cyber risk.
- Try to forecast what the decreased level of cyber risk will be if the desired controls are in place. That way, you can compare today’s risk level to the reduced level at the next Board meeting. You can set up benchmarks for what you think will be working as opposed to what has happened, putting you in a better position to answer questions from the Board.