With the uncertainty of COVID-19 hitting new levels, as the total number of cases rise on a daily basis, many businesses in Corporate America are now facing very turbulent waters that have never been experienced before. Now more than ever, CISOs are going to have to answer some very tough questions not only from their respective CEO, but from the Board of Directors.
The bottom line is that in this current state of flux, budgets have become tighter than ever before. Further, as a CISO, if you need to ask for more, or even maintain status quo, you are going to have to make a compelling case in order to justify those precious dollars.
In this article, we examine some of the key points that you need to articulate to the Board of Directors.
What Needs To Be Addressed With Senior Leadership
The first thing you need to keep in mind is how you are going to determine that particular level of cyber risk your team is facing at the present time. Yes, there are a lot of fancy methodologies that you can use out there, but the bottom line is that your Board of Directors is not going to care about this. All that matters are just set of categories and numbers that clearly demonstrate what the business impact and what the potential financial expenses could be if your company is hit with a cyberattack.
In other words, whatever you present to them has to be very easily understandable in a just a matter of minutes. Of course, if there are any gaps in your company’s cybersecurity posture, they will also want to know how that will be remedied and what the expenses incurred could potentially be.
Here are some key areas that you will have to present to them:
- Where the digital assets lie and what is most vulnerable: As a CISO, you are not going to have time to go through where each and every one of them reside at. All that you really need to present is where the most important digital assets reside at, and of those, which are the most vulnerable, and of course why. Your Board of Directors will also want to know about where the security controls lie at in order to mitigate this exposure of vulnerability.
- Compare against other benchmarks: After you have presented the above information, your next major task will be to show just where your company lies in the cyber risk spectrum with the other entities that are in your industry. It is very important to present and demonstrate these findings in order to help balance out your findings that are related to your own company. The result is that this could quell any reservations that your Board of Directors may have about increasing your cybersecurity budget. For example, if you can show that your company is far ahead in terms of being proactive in mitigating the level of cyber risk when compared to your peers, that will only speak volumes for you and the current approaches that you are taking.
- Demonstrate what is and what is not working: As a CISO, your first natural tendency will be to present only those things that are working well, especially when it comes to the controls that you are currently using. But keep in mind, you will also be asked what is not working. In other words, one of the key questions you need to address is about what your plans are to help strengthen those weak controls that are still being used to help protect those most vulnerable assets. This is an area of potential anxiety for the CISO, but it should not be. You need to keep in mind that some things will and won’t work, for an array of differing reasons. The key thing to remember is to use this opportunity to present your case for extra funding, and how those resources will be used to shore up your current lines of defenses.
- Present your plan: In the end, no business wants to be at risk of a security breach. All CISOs would like to see this to be at a level of zero. But the bottom line is that this is impossible to achieve. Therefore, you need to be present a plan to your Board of Directors that will clearly demonstrate how you plan to bring down your current level of cyber risk to what is acceptable (and even exceptional) to your industry standards, if you are not there are already. In this regard, the two things that you must address in this plan are the use of automation and filling in your cybersecurity staffing needs. With the former, you need to demonstrate how the use of artificial intelligence (AI) and machine learning (ML) packages can actually help your IT security team become more proactive in what they do. For example, these tools will help to filter out for the false positives, and thus, only present those legitimate warnings and messages that are for real. This will help your team to react much quicker to those prevalent threat vectors, which in turn, will help to decrease your overall level of Cyber Risk over a period of time. With regards to the latter, all IT security teams are being stretched to their breaking points due to the longevity of the remote workforce. Therefore, you will also need to present the case of your need to hire more able-bodied workers onto your team. You can use this to your advantage by succinctly stating that the extra manpower can be used to augment your existing staff so that they can keep up with remediating the security issues are cropping up on a daily basis, and this too, will help to decrease your company’s overall level of cyber risk in the long term.
Key Items When Presenting To The Board
Overall, this article has provided some further insight into what you specifically need to bring to the table when addressing the issue of cyber risk to your Board of Directors. The key items that you need to remember when presenting anything to them are as follows:
- Keep your findings short, to the point, and easy to understand, tied to business outcomes whenever possible;
- Always quantify your findings, the expenses that will be associated with them, and how those funds will be distributed to bring down your current level of cyber risk;
- Always try to forecast where the decreased level of cyber risk will be at, so you can compare this to what it actually is at the next Board meeting. That way, you can set up benchmarks as to what you think will be working as opposed to what has happened, so that you will be in a better position to answer the round of questions.
Schedule a demo to learn more about how CnSight can help.