Presenting to The Board: 3 Tips for Communicating Risk and Expanding Budget
Whether your bank or credit union has $50 million in assets or $50 billion, presenting to the Board can sometimes be a scary endeavor for even the most seasoned IT professionals.
And we totally understand why.
The Board of Directors are a peculiar breed: they speak a certain language, expect brevity, and examine business practices from a bird's-eye perspective. As an IT Manager, CISO, or CSO, your understanding of risk and compliance is intimate and understood in infosec terminology.
Clearly Communicate Risk During Your Board Presentation
Being able to effectively communicate with members of the board ultimately helps everyone: it gives the folks in The Room the ability to make informed decisions about risk management and compliance so they can properly allocate resources and hire personnel, and it gives you the chance to educate the most influential shareholders on how well your security program is performing, as well as where you could use their support to make improvements.
In order to most effectively communicate risk mitigation with the board, follow these 3 tips.
1. Use Universal, Non-Security Terms
The world of IT security is riddled with technical jargon and acronyms understood by very few. You can almost certainly count on the board of directors to not be well-versed with this language, nor have the time to learn it. Phrases like “the probability of SQL injection on database servers” should be left in your office, not at the head of the Board table.
Take efforts to align your language with those to whom you present. Define a lingua franca immediately in your presentation by very briefly reviewing how your organization defines the few technical terms you cannot avoid using. Put everyone on the same playing field through your language, and you’ll find your words carry more weight and persuasion from the start.
Knowing what types of words to avoid should get you out of The Room with your job still intact; knowing the specific words to use may get you out of the room with everything you need to mature and advance your security program. Talk in terms relative to the way they think about the business of the organization. For example, classify urgency by how it might impact shareholder value.
2. Be Quantitative Whenever Possible
Risk, as we know, cannot entirely be quantified, but renders a deeper understanding of both your IT risk environment and security control network. Your shareholders are more-than-likely ignorant of both, but still require a touchstone in order to adequately make informed decisions. It is your job to make this possible.
Come to the Table ready to explain risk upon a scale; start by using the FFIEC cybersecurity assessment tool. Although the tool is meant to help your organization measure inherent risk, you can use the same scale to categorize risk in terms of least, minimal, moderate, significant, and most. To further capture the attention of your shareholders, make attempts to explain how the risk levels might impact your organization in dollar-value if not mitigated.
3. Come with Issues, But Also Solutions
When all is good news, the CEO presents to the Board; when problems arise, the CEO still presents to the Board; but when a specific problem arises, the CEO calls up the in-house expert to present to the Board. Chances are, when you’re walking into that room, it is under the pretense of one of these specific problems.
It is vital that your presentation properly addresses whatever issues pose a threat to your organization, but come bearing solutions. It is best advised to use data to explain the problem, and how that same data provides you with a way to solve it. Remember, no one likes hearing bad news, but if the remedy is readily available, it helps to ease the pain of it all.
Despite all the cybersecurity breaches stealing headlines over the past two years, IT security is still understaffed and under-budgeted. Take your opportunity in front of the Board of Directors to plead your case for expanded budgets and new hires. Again, these individuals are the most influential shareholders in the company. Give them a reasonable proposal to improve the cyber security functions of their company—which will hopefully coincide with a much more manageable workload for yourself.
Delivering a Successful Presentation
Rivial Security aims to make risk management as effective and painless as possible. Check out how our Virtual CISO service can help you build and mature a solid security program – and yes, we will present to the Board so you don’t have to.