Convincing the board to spend on the security initiatives has always been challenging. The ROI being very complex, the information security world is often overlooked. Here's a template to help structure the IT security content for the Board.
Key Considerations while presenting to the Board
Less is more. Board doesn't want the technical details.
We might want to fill up the presentation with a lot of metrics and data but the board wants the most critical ones which they can understand and relate to. E.g. They might not be interested in knowing about patching status or the number of incidents that you handled.
Board speaks different language
Understanding the language of the board is very important. Use technical jargon as sparingly as possible. Change your language and examples to something that the non security audience can easily relate to.
Board is worried about how good the security is....minus the technicalities
That's a hard problem to answer. Security cannot be measured on absolute terms. However you got to explain it in simple way. You also need to assure how ready you are in terms of handling any critical incident
Be cautious: Verify your assumptions
Al lot of times we assume that the board might be interested in certain things. Most of the time people guess it wrong. It is a good idea to assume but definitely verify and take feedback
List of To-Do before the Board Meeting:
- Understand what the Board wants
- Understand the level of understanding of each individual in the board
- Align your security strategy to the Business Goals
- Be Clear on 'How Secure The Organization Is?'
- Consider sending papers before hand to the members for a better understanding
- Real Life example simulations can be easier to communicate with
- Represent numbers or other complex stuff graphically which gives an idea of trend
- Always be ready with the synopsis of all the security projects running and the most vital ones needing approval
- Create a story board where the problem statement is well defined and the action taken highlights its fatality
- Engage the board, get their views and keep your plan flexible
- Compute the security philosophy in simple numbers eg. If scenario 1 happens, Loss=$1million
- References to stats and competing organizations can help with the budgets
CISO Platform Recommended Board Level Metrics
- State of Security in comparison with competition
- Open business critical risks
- No of critical incidents reported to media/regulatory agency
- Loss/Downtime due security incidents
- Compliance status
- Budget performance
- Key security initiative performance status
Comments