Board buy-in, and how to achieve it

The board of directors knows cybersecurity can’t be ignored. Now is the right time to get buy-in for cybersecurity initiatives.

By Bill Clark

Fri 3 May 2019 @ 12:55

The only good news about a plethora of high-profile cyberattacks and data breaches is that everyone has heard of cybersecurity. That includes the board of directors. The bad news is that getting buy-in – and funding – to bring an organisation’s security maturity up to standard still requires work.

Ernst & Young’s Center for Board Matters identified how boards should approach oversight of cybersecurity:

  • Understanding the cyber risks facing the organisation and how they may affect the business
  • Challenging the effectiveness of the organisation’s cybersecurity risk management programme, and supporting the continued evolution of the programme (e.g. promoting a risk-aware culture and a holistic risk management strategy, balancing cost and value derived)
  • Understanding the IT assets that connect to the organisation’s network
  • Monitoring the effectiveness of the organisation’s vendor risk management programme
  • Determining how well the monitoring and incident response programmes work

Understanding these five concerns are a good starting point for building a strong and convincing pitch to secure the buy-in of the board.

But convincing the board to take action means getting past several layers of rejection. The first layer, the awareness that cybersecurity is an issue, has already been accomplished.

However, the board may still see it as an IT issue. It’s your job to convince them it’s a business issue. Here are some simple steps you can take to achieve that:

Step 1: It’s about the business

The board of directors is charged with ensuring the profitability and sustainability of the business. Anything that threatens the bottom line is in their responsibility.

Show the board the actual cost in pounds, dollars or euros of a cyberattack or breach. Whether it’s fines under GDPR, the costs of reputation damage or the cost of lost data and remediation of the attack, attempt to show what is at risk.

Step 2: Get your data in order

You will need to illustrate the current state of the organisation’s cybersecurity, explaining what it’s doing and what needs improvement. The challenge here is that you have to explain it in terms that are meaningful to the board. This means avoiding jargon. Whether it’s SIEM, UEBA or APT, leave the acronyms out. If the concepts are important, explain them clearly. However, be careful not to get bogged down in details. The board works at a high-level. Do not get mired in operational or technical minutia.

Step 3: Make the story compelling

You will have to show what risks the organisation faces if it carries on as is. If you’re making this presentation, you’ve already concluded that there are real shortfalls in your current strategy, so you have to communicate this in terms of business risk, without hyperbole. The risks businesses face are real, but exaggerating them to try to manipulate the board will likely work against you. The people in the boardroom have made careers based on assessing risk from hard data, not hype.

Step 4: Closing the deal

Simply bringing the problem to the attention of the board isn’t enough. Putting another problem on their plates may even annoy them. If you’ve made a good case, backed up with data gathered from your SIEM, UEBA, NTBA and other resources, you should have them convinced there is a need for change.

Now is the time to propose that change. Come prepared with a concrete plan. Include timelines, costing, and projected ROI. Better still, present two or three options and present the benefits (and limitations) of each approach and suggest which you consider best.

Step 5: Have your answers ready

You thought you were finished? Not quite. The board is likely to have questions about what you have presented, and you’d best be ready for them. Remember, think like a board member. Anticipate the objections or concerns they might have and prepare answers, ideally with statistics or examples to back them up. Questions mean engagement and solid answers can mean success.

You’re not alone

Preparing to face the board can be a daunting task. Your SOC team and your cybersecurity tools can help you gather and prepare the data you need to present a full picture for the board.

LogRhythm, for example, can provide the information you need and help you organise it in a compelling fashion, making communication with the board easier and more effective.

Learn more

How LogRhythm can help make communication with the board easier and more effective.