Skip to main content
September 1, 2015

CISO Tips for Risk Communication: How to Effectively Position Yourself in the Boardroom

CISO Tips for Risk Communication: How to Effectively Position Yourself in the BoardroomThere is always a silver lining. When it comes to the recent surge of information security issues, the silver lining is these breaches have given CISOs increased prominence within their enterprises. What was once just one aspect of a CIO or CTO's role is now a full-fledged area of responsibility with direct access to the highest levels of the organization.

Presenting to the C-suite or the boardroom can be massively beneficial for your department overall; it can also be incredibly daunting. Learning the right process for risk communication, as detailed in a recent handbook from Forrester Research, can make all the difference in the world for your company's InfoSec initiatives — and your career.

The Modern Threatscape and Loss of Autonomy

There has never been a more exciting, or more dangerous, time to work in IT. New innovations are constantly expanding the boundaries of what technology can accomplish — but those innovations grow the footprint of almost every network, and the increased value of information makes for a ripe market for hackers and thieves.

CISOs once operated squarely within IT departments, but the increased importance of InfoSec means those days are over. The C-suite and board now understand how InfoSec mistakes and oversights can cost their businesses dearly, so CISOs will find themselves providing regular updates to upper management. For CISOs who learn how to bridge the gap between the business and technology sides of the organization, the rewards (for all involved) can be plentiful.

Why You Can't Afford to Fail

Of course, just like with a network, increased exposure also introduces increased risk. On a business level, failing to accurately express your needs and concerns to the board will result in you not receiving the resources required to perform your job accurately. Without the tools and resources it needs, the business will be at increased risk — and should that risk result in an attack, the CISO will have to give a completely different presentation to the company's leaders.

Even worse, giving the impression that things are completely secure in a desire to impress will almost certainly cost the CISO his or her job should a significant attack occur.

On a personal level, any time spent in front of the board presents a powerful opportunity. CISOs who can impress these business leaders through their leadership skills, knowledge and ability to communicate may find themselves fast-tracked for future opportunities.

The Finer Points of Presenting to Decision-Makers

As important as these opportunities are — both personally and for businesses — CISOs can't afford to make these presentations without two things: knowledge of the situation and a plan of attack. Many of the differences related to presenting to upper management aren't intuitive, so every CISO has to do some research to determine how s/he can best prepare.

An in-depth view of this situation is available in Forrester's "The CISO's Handbook — Presenting to the Board." This whitepaper not only provides CISOs with an understanding of how much hinges on these meetings, but can also serve as a starting point when forming a plan.

The whitepaper explores the differing needs of executive boardrooms and boards of directors, addresses the preparation and clarity that are expected before you even begin, discusses the power of stories versus regurgitated facts and explains that there is almost no room for error in an increasingly sink-or-swim environment. All information is presented from an InfoSec perspective, which inherently carries more direct risk than many other presentations a board may hear throughout the day.

CISOs have to learn how to break their highly technical information into short, digestable bursts, without overpromising. By reviewing the questions you are likely to be asked beforehand, you'll be able to equip yourself with answers rather than coming up with them on the fly — which can create no shortage of problems as you attempt to translate technical information for a business audience in real time. A full-fledged plan will also help you ensure certain items aren't forgotten in the pressure of the moment, and it can help keep specific goals — such as expanding third-party security, increasing application monitoring funding or increasing security hardware needs — in mind throughout the presentation.

With security threats getting worse every day, there has never been a more important time to ensure your organization's decision-makers and budget-setters understand the importance of InfoSec. CISOs have to take it upon themselves to accurately present their needs to their boards, and those who choose to wing it instead of learning the right techniques for risk communication are doing themselves, and ultimately their organizations, a disservice.

Want to learn more about presenting to boardrooms? Be sure to read Forrester's whitepaper in its entirety.

Photo Source: Flickr

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.