Saying one thing and doing another isn't exactly a new practice in the business world.
That doesn't mean it's a good thing, however, especially when it comes to cybersecurity. Take these disturbing numbers from a recent Deloitte study, for instance: 74 percent of CFOs say digital security is a top priority, but only about half of CFOs expect at least moderate business disruption from security threats. Talk about a disconnect.
While there could definitely be a whole novel written on the why behind this phenomenon, it's more important for CISOs to understand how to bridge the gap, explaining complex ideas, risks and other security factors to an audience that's not known for its tech savvy. Moreover, they need to state their cases in a way that jives with the company's overall vision while still meeting the CISO's need for constant, pervasive and altogether effective cybersecurity.
In fact, with 67 percent of CFOs in the Deloitte study describing themselves as key stakeholders, there's never been a better time for CISOs to brush up on their roles as mediators between technology and the people cutting the checks. Getting that done, according to The CISO Handbook — Presenting to the Board, largely comes down to five words: What's in it for me.
Drilling down, you can take the idea two ways:
- Knowing what they want: Yes, security is important. But why is it important to CFOs? Knowing their end goals helps you position your own case in a more favorable light. That leads to . . .
- Synergizing: Figuring out how to make your cybersecurity plans cooperate with the CFO's vision means being able to state a case that appeals to his or her business sensibilities — and possibly his or her ego. There's no need to totally change course or leave out big aspects of a solid security plan, of course; instead, figure out a way to angle your ideas so they fit naturally with all the other moving pieces in the CFO's plan.
If this sounds a little too much like the office politics many people go into tech to avoid . . . well, it can be. But as the white paper says, "the boardroom is becoming the new lair of the security professional," and failing to mesh with your CFOs and other execs "can be career limiting." That makes proper positioning key for your company and your career.
Telling the Tale
Once you've hammered out the positioning, your next goal should be simplifying the nitty-gritty pieces of your plan for your audience without losing too much critical info in translation.
One trick here comes from the creative writer's toolbox, of all places: According to the white paper, "analogies . . . are excellent vehicles to begin conveying complex ideas." You may want to explain security in the context of a home robbery, for example, or your digital perimeter as a huge fence surrounding a hoard of valuable goods (i.e., data).
That said, you do not want to try scaring the CFO or other board members into compliance. Using a combination of "facts, observations, anecdotes and metaphors," the white paper says, is always better than "fear, uncertainty and doubt" for getting long-term results from your board members. There's definitely room for talk of consequences, in other words, but don't make them the focus of your chat.
Anecdotes (as mentioned above) can be a huge help. The white paper puts a lot of importance on "telling a story" when stating your case to the CFO — giving them something to remember instead of sticking solely to figures and charts to get your point across. You can play this in a lot of ways, depending on what you're trying to accomplish; in general, however, your story should start with a "hero," define a problem, and explain how your protagonist resolved it through action. If you don't have a particularly exciting story about how, say, a method you took prevented a huge security disaster, then turn to your friend the metaphor to spice things up.
Simplify and Sell Your Point
Being proficient with a smartphone or laptop isn't the same as understanding cybersecurity, and it's fair to assume your CFO will be more of the former than the latter. The Forrester/Veracode white paper is technically about addressing a whole board, but there are tons of takeaways for your next solo chat with the CFO. Give it a look, then ask for help if you still have questions. Whether you're new to the boardroom or routinely chum it up with your CFO, there's no reason you can't get your point across in a way that's beneficial for everyone.
For more tips and resources, check out Veracode's CISO Tool Kit.