It's crucial to find the best ways to present your security strategies to the board of directors and push the importance of implementing a solid cyber security defence into the organisation.
87% of board members and C-level executives are not confident in their organisation’s level of cyber security.
Although cyber security is moving up in the world and organisations are becoming more aware on the importance of it, CISOs, IT Directors and Risk Managers often still brush the matter off and claim they don’t have enough of a budget to cover cyber security.
If you’re in charge of developing and implementing the company's security strategies, you will need to present your ideas to the BOD in a rich, applicable and convincing manner.
Below you will find some effective tips to follow that will help you prepare and explain your cyber security strategies in a way that will get the BOD on board!
1. Familiarise Yourself With Members of the Board
An effective pitch will always depend on how well you know your audience. Before going into the meeting, make sure you get to know each member’s background and position. Recognise their pain points and take on risks and security in general. The more you know them, the better you can relate and get your argument across.
2. Technical Terms
The best way for the board to understand your pitch is if it is explained in simple terms. The CEO will most likely be unfamiliar with the latest security terms and technologies. Remember to make this easy to follow and use relatable scenarios. Perhaps replace terms like SIEM and DDoS with realistic ideas like risk management and security principles. Ensure you mention:
- Impact on finances
- Impact on business reputation
- Governance and responsibility
3. Contextualise Your Points
For the board members to truly grasp the core of what you’re saying, your points should be supported by real-life examples. The maturity level of your cyber security could be presented with a traffic light analogy, or the impact of some cyber attacks can be highlighted with recent news articles that depict the consequences. You can even bring up some case studies of organisations like yours to display how data breaches have affected them.
4. The Security Strategy Should Align With the Overall Business
Even with a convincing proposal, it will be pointless if it doesn’t align with the company's overall business strategy. Your BOD will usually deal with the high-level strategy and every decision will be based on how it will help daily operations and if it can achieve objectives. Before pitching the security strategy, familiarise yourself with the overall strategy and goals of the company – your arguments should support these goals.
5. Don’t Waffle About
The BOD only meets occasionally and their time is very valuable. Ensure your pitch only focuses on the critical elements, not the “fluffy” bits of information. They only need to know what is important, and by doing this, the board members will appreciate your respect for their time and remember the high-value points you want to get across.
6. Push What You Want To Achieve
Before starting the presentation, be sure to explain what your goal is and why you’re pitching this in the first place. The board member should know exactly what you’re trying to achieve.
- Do you need to agree on a new strategic direction for cyber security?
- Do you need a higher budget?
- Will you need additional resources?
- Does the board need to review and approve a new security policy?
7. Know The Numbers
You should come prepared with all the facts and figures. The BOD will most likely ask specific questions about where the company currently stands in cyber security and how it can measure the risk level.
To bring your point to life, you should come prepared with all these answers, including numbers and statistics. Knowing these numbers will contribute heavily to convincing the board.
8. Sound & Solid Solutions
The BOD doesn’t want to sit in a presentation listening to the number of issues within the organisation. Instead, present them with solutions relating to cyber security and tell them how these solutions will make life easier and benefit the organisation at the same time.
For example, your pitch could include a list of 5 concrete strategies you want to undertake, their costs and the time it will take to implement them. A high-level conversation is always a good starting point.
9. Demonstrate ROI
Be sure to explain how you plan to report on your projects and, most importantly, how you can demonstrate ROI to the organisation. You may decide to conduct a cyber security assessment, which evaluates where the organisation stands and in which direction it should go. A solid progression within your cyber security maturity level can help win the board members over so they know this commitment to your plan has paid off.
If your arguments are on point, clear, and relevant while being linked to business operations, you stand a better chance of getting the necessary contribution from the board and getting on track to implementing a good security strategy.
Note...
If your arguments are on point, clear, and relevant while being linked to business operations, you stand a better chance of getting the necessary contribution from the board and getting on track to implementing a good security strategy.