How To Present Cyber Security Risk To Senior Leadership: Bikash Barai,Co founder CISO Platform & FireCompass & Allan Alford, CISO TrustMap
Today data breaches are almost a daily occurrence and senior leaders and boards of directors want to be assured that their cybersecurity programs are doing enough to defend their organization. However, the security teams are struggling to quantify risks, measure them and present the risks to leadership teams in a way that clearly communicates the reality of the risk an organization is accepting.
Allan Alford, CTO, and CISO TrustMapp joined us for a Fireside Chat with Bikash Barai, Co-Founder, CISO Platform, and FireCompass on “ How To Present Cyber Security Risks To Senior Management?” Allan has been a security veteran who has played the role of CISO more than 5 times in his career, the talk starts with some of his experiences of successful board meetings.
Reference link for fireside chat & more details on the topic: https://www.cisoplatform.com/profiles/blogs/how-to-present-cybersecurity-risks-to-the-senior-management
Podcast Summary :
Q1 - What has been your most embarrassing moment in terms of reporting to the board
A1 - Generally we have allocated budget. But there was once I had to ask for more money along with my CTO. I prepared to mention why we needed the extra money. But then it wasn’t closed to preparation needed. The board had lots of questions and I was baffled. It did not go well. It’s crucial to understand what the board wants to be able to prepare. This can vary from nature of board members, maturity of company & more
Q2 - What were the key factors in one of your most successful board meeting ?
A2 - Every board is different. Some have security sub-committee. Some board members sometimes do appreciate some technical facts, not all. I had built great relationship with this particular board. And the head of the committee understood technical details more. So, what worked was a story-telling method with some technical data thrown in. Since they were enjoying, I could get into more technical details and they understood. We were able to connect better. That was probably my best experience. Definitely start with a story. Add business aligned data which you can start with. You could add some more technical data but that’s generally not a good starting point
Q3 - What do you prepare before board meeting ?
A3 - First, we’ll assume we already know the board members/had our 1st meeting before.
Slide 1 - What did we talk about last time? Where did we get to ?What investment did it take ? We basically try to prove the previous investment was a good investment. We discussed I’ll do X and need investment Y and here is the proof of this being done. May involve timeframe based on hw much the board cares about the operations
Slide 2 - Top 5 Outstanding business risks. Here’s where we stand
Slide 3 - Here’s what I propose to do to tackle the current risk profile. So this basically becomes slide 1 in the next board meeting
So the flow is like - here what we did; here’s where we are; here’s what we will do next
Tool Tip : CMMI Analysis which says security score of the organisation. Slowly, we show the increase in betterment of security score. Imperative to highlight the top security risks. Very important to demonstrate the security operations tie to the business goals for the year.
There’s a huge gap in CISOs understanding of business goal and board along with security. This stitching is very important. Suppose the revenue goal is X ARR. Changing the narrative to find patterns in the customer needs / RFPs.
Q4 - How do you build stories ? How do yo capture the heart of the board ?
A4 - I always start with the classic ‘once upon a time’. We knew I current security risk status and this was a business risk we needed to address. Showing the journey how the high-level risks were mitigated. Gartner has a maturity curve which is a poor man’s CMMI. Milestones are on the Gartner curve. Share the journey and credit the board and business wherever they are due. Winning over clients based on security being key-differentiator. Show the success factors tied to the security which led to the business goal success. Use actual metrics and data to add the pepper (seasoning). If there’s a bad news, share it before the board meeting. Start your meeting with positive vibes. If there’s a major decision to be taken, don’t wait till the board meeting. Talk to board members before hand and get them aligned before hand. Since board meetings are short. Marination is key to having a good barbecue
Q5 - How many slide do you typically have in your presentation ?
A5 - Generally 3 to 5 for a CISO and board meeting. This will be based on how much emphasis the board has on cyber security. In case security is not a big pie of the board meeting, I’d make 1 slide. One of the biggest mistake was when I created a hall of fame and hall of shame by putting together the security scores. This went down badly with the account holders, since they directly saw themselves going down in front of the board.
Q6 - What to do during the board meeting ? What works well etc ?
A6 - Definitely provide the material ahead of time so they have time to digest it and come back with their feedback and questions. I’ll present majorly to the highlight. But I am really looking forward to their questions. They might have questions like they’ve seen the current events in security and whether your organisation is prepared to handle it. Be ready for this ? Is this saving us money ? Gaining money etc. ? A CISO can be prepared for the Q&A and then generally the board meeting with security personal is about 15-20minutes
Q7 - Example of business metric connection with security
A7 - Here are generally a few examples of busines alignment.
- Accelerate time to market.
- Standout of competition.
- Operational efficiency.
Let’s say you have a massive role of Zero Trust in Covid. To improve efficiency, you need to make sure everyone is empowered to work from home and pumps up work from home. Mention the X factor and Y factor associated with the efficiency impact when you implemented zero trust.
Example MFA (multi-factor authentication). This one needs more technical details. Then show how it ties to the business goal, business risk, maturity score.
Q8 - Suppose you have to build a SOC. Example of showing this to the board ?
A8 - A SOC for example. Obviously the highest risk is dealing with unknown. Not knowing what’s going on. So SOC does that. Show the reports from Gartner, CMMI that show it’s a huge business risk. Demonstrate SOC adheres to 1 or more aligns with the business goal even partial certainly helps. For e-commerce company, SOC can be used to prevent fraud which has business impact
Q9 - What not to include in board meeting ?
A9 - Start with all the things you share with your team, then what you share with the peers, then what you share with the CEO. Then start rejecting what doesn’t fit into your board meeting goals. Have some basic links in the slide which has 2nd level detail. Since we start with the full folder, we can go back to details if and when needed. Demonstrate security and business control with the board.
Q10 - Success factors in board meeting ?
A10 - Never include something you want to do once. Keep the same structure you will consistently present to the board. No experiments, always make sure it’s sustainable
Q11 - Any follow through post board meeting ?
A11 - Having someone with you at the meeting, so they can note the commitments at the meeting. Summarise and mention the things you’re now due to do and set in the timelines. If possible, do it at the meeting. See if any areas have challenges. It sorts things and unrealistic expectations
(Reference link for fireside chat & more details on the topic: https://www.cisoplatform.com/profiles/blogs/how-to-present-cybersecurity-risks-to-the-senior-management)