Managing Board Oversight of Cybersecurity Initiatives & Getting Buy-In for Investment  

What can an information security leader do when your board doesn’t “speak cybersecurity?”

The issues, challenges, and demands of cybersecurity today are often filled with abstract concepts and technical specifics. These complexities can make it difficult for CISOs and other leaders to translate their needs effectively.

However, it’s critical that leaders know how to communicate the seriousness of cyber risk and financial exposure to the Board to get funding, as well as build and maintain support. Successfully managing Board oversight of cybersecurity is the best way to secure the appropriate resources needed to address the ever-changing and persistent cyberthreat landscape.

Board Buy-In on Cybersecurity is Necessary

Why is it imperative to get Board buy-in and report effectively? To ensure that cybersecurity investment remains the right priority — making it easier to install the people, processes, and technologies that keep business operations secure, and working at an optimal level.

Cybersecurity is at the core of sound operational management. And by framing cybersecurity discussions with the board around that idea, you’re more likely to get their attention and their financial support.

Board and executive buy-in is also an important ingredient to fostering a security-focused culture from top to bottom. This makes it much easier to motivate the entire organization to stay vigilant and to successfully implement processes and policies. 

How to Obtain Board Buy-In for Cybersecurity

There are a few things you can do with your board to get them to understand the importance, role and need for cybersecurity:

  • Explain the Current State. Boards need context to understand the modern threat landscape, especially if the organization is looking to scale or change its cybersecurity solution
  • Contextualize the Risk. There are plenty of third-party reports that can articulate the severity of cyberthreats today. Showing the board, with real-world examples, what the business impact could be is a powerful narrative
  • Find an Advocate. It’s likely you already have a cybersecurity champion or two on your board. Seek out and nurture those relationships, allowing them to advocate on your behalf to fellow board members
  • Simulate an Attack. Showing the results of a simulated attack can help you show in detail what happens and how it can impact the organization, financially, operationally, and reputationally
  • Demonstrate Return on Investment. Illustrating the ROI on cybersecurity is an important component of your conversations with the board.
  • Partner with Third-Party Providers. Collaborating with your technology partners can provide your organization with an external, industry-leading perspective on the need for cybersecurity

Fortune 500 Industry Leaders Share Solutions for Working with Boards on Cybersecurity

Christian Sorensen, founder and CEO of SightGain, recently spoke with several Security Operations Center (SOC) leaders of Fortune 500 companies to learn about how they work with their boards.

For Xavier Ashe, senior vice president of security operations for Trust, board engagement is “very situational” and often centers around the consequences of downtime.

“Business impact is something that’s very visible to them when we have application outages or network outages,” Ashe said.

While many of those issues are not within the realm of cybersecurity and often fall to IT, Ashe noted it’s important to be able to talk to those issues and help the board understand. Board members, for example, will ask what cybersecurity is doing to mitigate the issues around stoppages.

Regulatory Conversations Focus on Cybersecurity

With increased regulatory scrutiny of infrastructure, consumer data and enterprises’ commitment to cybersecurity, it’s natural that compliance is a point of interaction with boards.

“A lot of it’s talking about our roadmap, going from where we are today to being in compliance,” said Josh Copeland, security director, (cyber), for AT&T. Once the organization is in compliance, Copeland noted, the conversation turns to what is being done beyond compliance mandates to keep the systems secure.

“Because compliance is a baseline, it gives us a really good starting point, but it should be just that, the starting point,” Copeland said.

Copeland said it’s about having conversations that go beyond “meeting these check boxes (with) regulators” and “understanding that there are things that we can be doing that can streamline, can do that process better, faster, cheaper and produce a better return on business, where we can then reinvest those funds back into our business processes.”