No, I have not done this a hundred times; I’ve only done it once so far, but it went fairly well, so I thought I might capture some notes on prepping for the conversation that many boards are being told they should be having.
Don’t Put this Off
Minimally, you should be prepping for the question – but do yourself a favor and prompt one of your Board members on the topic. They have been hearing about this a lot lately (sometimes a bit more bluntly than others), and it would be nice to preempt the question to show you are on top of things.
This is Not a Technical Conversation …
Don’t make the mistake of turning this into a deep dive into TLAs and arcane CISO-terminology – this is not a project status report. While prepping for this, I picked up a great soundbite – a consulting firm noted to me that many IT leaders make the mistake of getting into the arcane details of tools, processes, and metrics, without explaining why we care about any of this in the first place. Board members will often point out that it’s not their job to run the company – they are not Operators, they are there for Trusted Support and Governance …
… so Focus on Risk …
What does the board want and/or need to understand about cybersecurity? Simply put – do cyberthreats present an unmitigated / unplanned risk to the business? Depending on your industry, they will want to know that you understand about any required disclosures. You can also get specific about how your industry might be impacted by common cyberthreat targets; do you handle large amounts of consumer data? Are you in a regulated industry? Are you a critical component of the supply chain for your customers? The Board may also be interested in any personal liability issues.
… but Don’t Cave to Conservatism
If you want to be 100% safe (or, you have a tough time quantifying IT Risk), then lock everything down and aggressively manage access. But that would be a little short sighted; this is a great opportunity to broach (at a very high level) issues like the Consumerism of IT and BYOD. Will a too-conservative cybersecurity policy prevent different areas of the business from taking advantage of newer technology to improve customer relationships and internal process efficiency? Check out Westerman’s post from HBR; it’s a terrific way to show the different “forces” pulling your cybersecurity policies in, at times, opposing directions.
Listen to What They Are Hearing
As part of your preparations, make sure to connect with trusted sources that the Board has (or may have) been talking to. Audit and accounting firms like Deloitte, PwC, KPMG, and E&Y will all have position papers and practice areas – does your Board regularly work with them? Another great idea is to check what your peers are doing; don’t compare light manufacturing with financial services, healthcare, or pharmaceuticals.
Tell The Story Succinctly
You’ll probably get 30 minutes, so make them count. Here’s an outline that should work for most organizations …
- Enterprise Risk Management: Put the conversation in context within the overall ERM conversation that the Board has already heard
- Current Cyber-Risk Profile: What the company should _realistically_ worry about – and let your conservative side show by reminding them about Random Acts of Stupidity. By the way – this is a great place to balance that conservatism with a chat about Access, Availability, Accuracy, and Agility
… and some combination of the following …
- External Threats: Cover the technology involved in a single summary slide. Focus on how the process is managed, what improvements have been recently completed, and what (if anything) is on tap for the coming months
- Internal Threats: Again, keep the technology details simple – but be prepared for specific questions on sound-bit topics like spear-phishing (a recent hot topic). Again, bullet out recent and planned improvements
- Privacy and Personal Data: Especially if your business deals in consumer and credit card data; know the local disclosure laws you are subject to, and have a plan for them all
- Disaster Recovery / Business Continuity / Records Retention: Depending on the audience, these topics are sometimes mixed in with the topic of cybersecurity; have some facts ready, or be prepared to answer a quick question with a deflecting answer (“… not in scope for this conversation, but we have it covered with XYZ process and policy …“)
… ending up with the classic …
- Incident Response: No cybersecurity review is complete without a review of your Incident Response Management process, so there will be clarity on how any disclosures can be released in a structured, controlled manner.
The conversation may expand into more depth than you think – after all, corporate boards are getting savvier about IT all of the time.
# 13 October, 2013