As the CIO, CISO or a member of the IT team of your company, you know how important it is to have a quality cybersecurity program that’s not only effective but can be easily reported to your Board of Directors and other stakeholders. However, the people who make up your Board, and who ultimately make the decisions of the company, might not truly understand how cybersecurity works. Yet, they read the Wall Street Journal, watch the news, and are exposed to the ramifications of cyberattacks daily and are trying to connect the dots to their personal and fiduciary exposures. As the pressures of Board accountability increase, so will your role in presenting your organization’s cybersecurity program. Trying to explain your cybersecurity program to your Board of Directors can be difficult and daunting.
Today, in many cases, the Board carries the highest responsibility for the cybersecurity of your company, as was discussed by SEC Commissioner Luis A. Aguilar in a speech delivered in 2014, and which was posted on the U.S. Securities and Exchange Commission site. He closed out the speech saying that board oversight of cyber risk management is “critical to ensuring that companies are taking adequate steps to prevent, and prepare for the harms that can result from such attacks.”
Learning How to Speak to the Board
One of the first things you need to do when presenting cybersecurity to the board is remember that most of them will not know highly technical terms and jargon that you might be accustomed to speaking with others in your field. Therefore, you need to change your approach when speaking to them. You will want to focus on risk management, with hard data and visuals to back it up, while connecting to the top line and bottom line for the company.
Starting off, you should start by providing them with background on cybersecurity and why it has become so important. There may be some board members who do not realize just how dangerous the world has become, or the dangers it can pose to their company – and their finances. Talk with them about the major types of threats that could affect the organization. Threats are constantly changing, so giving them “ah-ha” recent examples and relevant case studies will grab their attention. Explain what each of these are and what it could do to their company. How could it affect your brand and shareholder value? Provide examples of other companies in similar areas that may have suffered from various cyber attacks and highlight what happened to those businesses.
The board is likely familiar with the operations of the company, so explain how various cyber attacks could affect those areas. What would happen if proprietary information were stolen? What would happen if customer and client financial information and credit card numbers were stolen? It would cause many of those customers to do business elsewhere, for starters, and this could severely damage their bottom line and reputation.
Discuss programs and methods that can help to reduce or eliminate these threats, and highlight what a difference they can make for the company’s ability to serve its customers and build (and preserve) a good reputation. After all, companies that are willing to invest in cybersecurity methods are viewed as having their clients and customers interests in mind as much as their own.
Show your Board the programs that are currently in place at the company, and your road map for continuously preparing for future threats. Showing real-time charts, dials and data are what Board members are accustomed to seeing. You can also provide an overview of improvement opportunities to keep your organization ahead of the game and what can be done to boost security further. This is a great opportunity to get buy-in from the Board for additional operating capital to support your cybersecurity goals.
Finally, your messaging should not be about FUD alone (Fear, Uncertainty and Doubt). Board members will tune out and lose interest. Wrap up your Board presentation by pointing out that cybersecurity can be proactively communicated early in sales cycles with potential customers to help deals close faster and with a lot less scrutiny at the final hour. Keep track of how many new customers and their revenue you and your team helped close due to your participation in sales calls and the success of your cybersecurity program efforts. That will get noticed – big time.
Your initial presentations are just the beginning. You’ll want to make sure you continue to keep the board updated with issues and opportunities relating to cybersecurity, and to make sure they receive the education they need on current threats and the benefits of your ongoing program.
Let the Board know what you and your team have done to address cybersecurity since the last update and new methods and tools you’re implementing. The board should be “clued in” by this time and will have a better understanding of how and why certain things may be essential for the workflow, security, and growth of the business. You can also update them with accountability metrics that you are following, such as compliance scores, audit findings, policies, and training programs.
How Apptega Simplifies Board Reporting
One of the great features of Apptega is its powerful reporting tools that are tailor made for Board presentations. You can show the Board the end-to-end story of your cybersecurity program including real-time compliance scores, what you have achieved over time, areas of strength, areas for improvement, project life cycles, and future implementation road map for the next 12 months. Crisp dials, graphs and charts are exported into PPT and reporting templates are provided to match expert industry practices. Reporting through Apptega is generated in minutes, instead of hours and days.
Contact us to learn more about how Apptega makes presenting cybersecurity to a Board easy.