How to have more impactful conversations with the board around cyber risk

In a recent Right Hand Security, Front Lines event, SolCyber Chief Technology Officer David Emerson interviewed cybersecurity expert and friend of SolCyber, Scot Hutton, on how cyber leaders can more effectively communicate with boards to make positive changes that will increase a company’s security posture. Below are key takeaways from their conversation. You can also watch the full interview on YouTube.

Much to the dismay of security professionals, implementing secure strategies doesn’t always fall under their purview. Cyber professionals can write up documentation and invest in software that provides some level of protection, but it requires a concerted effort on the part of all employees to adopt a security mindset and build a culture that values secure practices. And yet, the responsibility of an organization’s security and the communication of said company’s security posture often falls solely upon CISO or similar role.

Cybersecurity is an undeniably complex subject that many leaders don’t fully comprehend. It takes years of dedicated study and immersive experience to understand how to mitigate risk and improve your security posture. So, how can a CISO or cyber professional effectively distill years of experience into digestible nuggets and communicate with boards to gain support for security programs?

Cyber expert and executive Scot Hutton shared some tips in a recent Front Lines event on just that. Here’s what he had to say.

1. Focus on protection levels—not threats

When discussing cybersecurity, it’s easy to fall into the trap of focusing on the risks and threats an organization may (or may not) be facing. But threats in the news might not be relevant to your organization and the strategies and tactics cyber criminals use evolve quickly. So, when you focus on the problems of today, you’re already lagging behind.

Instead, Hutton recommends centering discussions around protection levels because that’s ultimately what’s important. A few years back, boards were very concerned about ransomware and would ask questions about the latest attack covered in the news. But regardless of the type of ransomware, there are three things an organization should do to protect against it: create backups, provide phishing training and implement a detection and response program. So rather than discussing the latest threat, cyber professionals should express to the board where the company stands on these three actions and what you can do to improve.

At the end of the day, it’s less about worrying if and when an attack will occur, and more about how prepared you are for when it happens. What are the strategies and protections you currently have in place to react to an attack and protect against it?

2. Throw frameworks out the window

As board members learn more about security, they are becoming more familiar with security frameworks and view them as easy solutions. Unfortunately, frameworks don’t always work because they don’t cover deception and security awareness training in an effective way. So, before your board gets too excited about frameworks, reel them back in and keep conversations focused on what’s happening at the organization and how prepared your teams are to defend against various threats.

“I use CAG or the top 20 as a starting point to determine where we are today and what can we do to drastically improve our security posture,” claims Scot. “But it’s something I use in the background as a framework to help me prioritize things. I keep conversations with the board more focused on what’s going on in the here and now.”

3. Choose metrics that tell a story

KPIs and metrics can be incredibly powerful tools, but only if there’s context surrounding them. Simply stating the number of events detected or mitigated or the mean time to detection doesn’t really mean anything because a board member has no way of knowing if your numbers are good or bad.

Instead, present KPIs that tell a story about where you are and where you’re going. Track how your mean time to detection improves over time or look at your company’s resilience score compared to others in your industry to get a better sense of how your teams are truly performing.

4. Be honest about how far a budget will go

Most security professionals are all too familiar with this story: You walk into a board meeting with a detailed strategy for how to mitigate the most pressing risks your organization is facing. You present your proposed budget, and the board says they can only cover a quarter of the costs. You end up with a solution that ultimately doesn’t move the needle or mitigate any risks.

“To ensure you walk away from a board meeting with appropriate funds, frame risk as a business problem that we’re all facing together,” says Scot. “Present options for nearly mitigating the threat and partially mitigating the threat and be open and honest about what a minimal investment really means. Security doesn’t need to be an all or nothing game and even starting the process of constructing a defense system can be a good thing so long as leadership understands that they’re not eliminating the problem on a tight budget.”

5. Discuss a long-term plan for increasing the budget

In the event that you can’t secure the funding you need, work with the board to build a plan for covering one department at a time with the budget you can get. This not only gets the ball rolling, but it allows you to prove the effectiveness of your recommended security tools and practices to the board over time—and show what happens to the departments left exposed. During your initial meeting, agree to come back to the table to review and invest more at a future date. 

It’s also essential to be honest about the fact that you can never fully eliminate a risk—you can only drastically reduce it. As you’re talking about future spending, emphasize that the threats and associated defenses are likely to change over time, which means your budget will too. Be clear about what you need today and how you expect those needs to change tomorrow.

6. Offer solutions—not problems

With so many aspects of security outside of your control, it’s easy to constantly come to the table with problems and not solutions. But your board will be unlikely to shell out more money—or give you a slot on next quarter’s agenda—if you’re not offering realistic solutions. 

Beyond asking your board for dollars, ask for their support. If you need IT to regularly engage in patching activities, get buy-in from the board so they can prioritize that communication to the CEO, CIO and down into the IT teams. If monthly training and testing is important to your defense strategy, center your conversations around getting participation from the entire organization in order to minimize risks.

Creating a culture of security starts at the top. Educate your board on the importance of various security practices and tools, so they can push that message on to the C-suite and beyond. Ask the board to take the lead on shifting the culture, so your job becomes easier once you leave the room.

Context and clear communication are key

For years, boards didn’t see cyber as a business problem but rather as an IT problem. And in recent years, that’s started to shift. Security professionals today have the unique opportunity to apply changes that actually matter and will make a difference. So go to the board with a clear set of solutions, ask for the funds you need to manage the different levels of risk and explain how those dollars can make a real difference. 

For more tips on how to communicate security strategy with your board and broader organization, watch the full Front Lines session.

If you’re also keen to read more great articles from SolCyber, subscribe to our blog!