For CISOs, engaging with the board can sometimes be a more challenging element to their role. While it can feel heartening to put together a strategy that effectively strengthens your organisation’s defences, that feeling doesn’t last long if the board rejects your proposals due to budgetary reasons.
This was one of the key talking points at Telstra Purple’s most recent ‘New In Role’ roundtable discussions for freshly appointed CISOs. These events are put on for CISOs that have been in their role for less than a year, inspiring an open and honest discourse about important challenges under Chatham house rule.
Understanding the business and its people
Finding the right way to engage with board members starts with developing a deep understanding of the organisation and the people within it. This process should start right at the beginning, potentially even at the interview stage.
“If you can walk in at the interview stage with a plan, that’s the best place to start,” one attendee explained. “Then, touch base with the other technology leaders within the organisation during your notice period. This allows you to understand their pain points in advance, so they already know, and potentially agree, with your structure from the outset.”
An important aspect of the role of the CISO is to champion the importance of cyber security throughout the entire organisation. You can accomplish this in a few ways, although one effective strategy is to develop training and awareness programs in the early stages of your tenure.
This could involve various staff briefings, or on-boarding calls with every team to introduce yourself and explain how you’ll be working with them. This cultural transformation is key to taking cyber security from a dark art to something that’s deeply ingrained within the infrastructure of the organisation.
Once you start developing a cyber plan and strategy, it’s important to engage individual members of the board and get their buy-in, before approaching the board as a whole.
“Talk to people and show them your plan on a 1 to 1 first, before you present it to the board,” an attendee noted. “That way, you can get feedback and tweak your strategy to address their pain points as a priority. Then, by the time you present it to the entire board, you’ll already have the approval of half the table”
Approach the board with an objective-based mindset
When approaching the board to present your security strategy and attain budget it’s crucial that you frame these discussions using their mindset.
Organisations are often ambitious and optimistic by nature, so when you’re the only person talking about risk, or how things could go wrong, it’s difficult for those ideas to resonate.
The trick is to go into discussions with a positive angle to make them feel like you’re enabling them, as opposed to bogging them down. Talk about how you’re going to make the company move faster and how you’re going to protect and defend its reputation with customers.
It’s also important to make their business objectives part of your objectives, presenting the right metrics that resonate with the board.
“When I first started, I called it the burning imperative,” one attendee says. “I try and find where the pain points are and then structure my plan from that. Have open and transparent conversation with the stakeholders…
“But if I get too technical when discussing my security objectives with the board, their eyes can glaze over. I make sure I talk about how my plan will aid their turnover, then they get engaged.”
The panel also notes that it can be helpful to frame discussions based on any previous incidents the company might have faced.
“When I join an organisation, I ask for any past incidents, even if it was a near miss,” a panel member explained. “They don’t even have to be big incidents. They could be phishing emails or a mistakenly paid invoice. It makes it useful to build a case for future work. It’s a good scare tactic.”
Dealing with dwindling budgets
Budgets can be a pain point at the best of times, and they’re fluctuating wildly at the moment, depending on how organisations have adapted to the pandemic.
There are a few ways of stimulating budget conversations to fall in your favour, although a big part of this will be around raising awareness and driving home cyber security’s value. One interesting way to accomplish this is through penetration testing, which can go a long way to showing what life would be like without security budget. You can also drive active participation in your security programs by appealing to the better nature of the staff in the organisation.
“We harnessed the competitive nature of individuals by gamifying the maintenance of good security practices. By implementing a company wide security scoring system, each team could track their performance and work to surpass one another. The recognition gives them sense of personal fulfilment, instead of feeling forced.” An attendee said.
At the end of the day, CISOs fear shouldn’t having their budget rejected – it’s all part of the job. However, if the board does reject your budget request, it’s essential to outline the associated risk in context to your organisations risk appetite. That way, they can have a full understanding of any implications, and make an informed decision.