Week 7
Building
an Effective Cybersecurity and Technology Risk Presentation for Your Board of
Directors
By 2020, 100% of large enterprises will be asked to
report to their boards of directors on cybersecurity and technology risk at
least annually, which is up from today’s 40% (Proctor,
E., P., Wheatman, J., McMillan, R., 2016)
Risk data
regularly influences the decisions of 71% of organizations’ boards of directors (Gartner survey data,
2015)
Why would “UK banks spend more on security and suffered
more fraud” (Anderson, J., R., p.228, 2008). Simple, UK bank employee became
lazy and careless, a moral-hazard that led to increased fraud. Why is security
budget lean in many organizations? Is security underfunded in organizations? If
your answer is yes; you may want to know some of the reasons why this is so.
§ Risk and security
leadership inability to provide board-relevant, business-aligned content, and
abstracting out the direct technology references
§ SRM (security and risk
management) leaders often use unnecessary fear, uncertainty, sometimes
exaggeration and doubt in board presentations to drive home their points
§ SRM leaders use too
much technology terms in board presentations, knowing that most board members
are handicapped by the lack of understanding of security technology terms. This
kind of limit questions from most board members
§ This result in the lack
of creation of defensible connections between cybersecurity risks and business
outcomes (Proctor, E., P., Wheatman,
J., McMillan, R., 2016)
It is to be noted that SRM leaders are being asked more
frequently to present to their boards on the state of cybersecurity controls in
their enterprises. However, much of the reporting is low-quality, and has
minimal benefit to the board, thereby not improving the relationship between
the board and the security and risk management leaders. There are some best
practices to improve on this:
ü Communicate with your
audience on their own terms
ü Understand the board’s
role and responsibilities
ü Socialize the key
messages before the presentation
ü Road-test your
presentation
ü Use fear, uncertainty
and doubt sparingly
ü Focus on readiness
ü Use process maturity as
a proxy for risk posture
ü Abstract out the
technology
ü Stress risk management
and balancing protection with business outcomes
ü Highlight the business
value of security and risk investments
ü Educate the board on
how to influence effective security
ü Always end with an
“Ask” (Proctor, E., P., Wheatman,
J., McMillan, R., 2016)
It is imperative to avoid the seven deadly presentation
sins – too much technology; overly
complex slides; too much FUD (avoid focusing too much on threats and theoretical
risks); lack of business alignment; misleading data (avoid ROSI - return on
security investment projections that you can’t defend); too many people in the
process; failure to connect with board-relevant decision making, and; be
prepared to address objections and personalities.
The
good news is there are some tactics you may need to know:
·
Consider the perspectives you want to give the board
·
Gather intelligence
·
Be deliberate with your terminology
·
Be ready to address objections
·
Overcome apathy
·
Ask for an outcome and request the next date (Proctor, E., P., Wheatman, J., McMillan, R., 2016)
References
Proctor,
E., P., Wheatman, J., McMillan, R. How to Build an Effective Cybersecurity and
Technology Risk Presentation for Your Board of Directors.
(2016-3-3). Retrieved (2017-21-7) from https://www.gartner.com/document/3238219?ref=solrAll&refval=187825080&qid=4afe393c3486f20d5158fb21d4dd4d85
Anderson, J., R. Security Engineering: A Guide
to Building Dependable Distributed
Systems. 2nd ed. (2008) Wiley Publishing, Inc. Indianapolis
No comments:
Post a Comment