Selling (or Storytelling) Cybersecurity to the Board

Issue link:

Contents of this Issue


Page 0 of 2

1 Selling (or Storytelling) Cybersecurity to the Board Written by David Finn; Executive Vice President, Strategic Innovation at CynergisTek There has been a lot in the media recently about "selling" cybersecurity to the Board. We all know that a CIO or CISO's role is about gaining support for projects, large and small, related to information technology and security. However, if you are really having to "sell" these project to senior management and the Board that may mean that your organization's executive management or leadership isn't committed to cybersecurity. More likely they are simply not as knowledgeable as they really need to be in today's world, in healthcare about security. If "to sell" really means to give or hand over something in exchange for money, then selling security should be relatively easy given the tidal wave of ransomware, phishing attacks, email business compromise and data breaches. Who wouldn't want to protect themselves from these events – it's their business! This is where things start to break down because it isn't really about "selling," it is about "storytelling". People are asked to join Boards or become CEOs because they are savvy business people. That doesn't mean they are cyber security experts -– that's your job, remember? Most of us understand that corporate leadership does not have a deep understanding of cybersecurity. Translate Cyber Risk to Business Risk Here is my first point, if you're counting: your audience may not know cybersecurity, but they do understand business and business risk. Business risk really means the operational and financial risks that the organization faces. That means that to really communicate to the Board you're going to have understand a few things, so you can translate cyber risk into business risk. You need to understand how your organization makes money (business people will say "generates revenue"). In order to tell the story, you will have to understand how the company operates. With that understanding of how the business makes money and the people and technology involved, you can start to model how insider and external threats – even competition (I've seen privacy leveraged aggressively in marketing campaigns after a breach at one hospital) – might disrupt operations. Then you map out the appropriate security controls (it must include people, process and technology) to minimize impacts and build a resilient organization. You should map business risks to cyber domains and how to best mitigate them. Security is ultimately a business risk, not just an IT or security problem. Illustrate Your Business Risk Story Now you've almost got them where you want them. But a story with no compelling facts or data is a work of fiction, and Boards will only fund a fiction once. Once you've got the business risk story built, you will need to "illustrate" it with measurements and metrics, which is my second point. You should take the opportunity to get the Board caught up on some of the noteworthy issues that have risen to the senior executive level over the recent past (depending on your reporting this could range from monthly to annually). This could be industry trends or occurrences specific to your organization and how they related to the business. It may be new regulations that have been issued. Speaking of metrics and measurements you should be talking about how you are improving your risk posture – in business terms, it fine to say you've rolled out multi-factor authentication to 1,000 remote users but what does that mean to users and to security? Talk about improvements in performance and identify security goals and how they are being addressed. Whatever data or metrics you use it must be clear, transparent and accurate – it may not always be good news but that is part of the story that must be told, too.

Articles in this issue

view archives of Checklists - Selling (or Storytelling) Cybersecurity to the Board