At a certain point in your ongoing push to modernize security at your organization comes the moment of truth: time to present your initiatives, and your results, to your board of directors (BOD). In the past, you may have gotten by with little more than a cursory explanation, touching on little more than compliance issues, but in 2017, cybersecurity no longer flies under the BOD’s radar.
In fact BODs are now seeing security as a top priority, with the New York Stock Exchange finding that more than 80 percent of BODs surveyed discuss cybersecurity topics at nearly every meeting. This makes sense, because many board members now consider cybersecurity a major risk area. C-level executives are increasingly relied upon to present their strategies and successes to the BOD.
Here are some things to keep in mind as you and your CEO prepare to present your IAM initiative’s success to the board of directors:
Focus on the big picture and present your successes through a financial lens
Your CISO or CIO is most likely the best candidate to give the presentation because those roles combine technical knowledge with the business acumen and communication skills needed to convey your strategy. No matter who’s giving the presentation, however, be sure to avoid getting in the weeds.
While it's important to alert your BOD to specific security threats and their business implications, you don't want to undermine your goals by overwhelming your BOD with technical details. If you're overly focused on the specifics of how an attack works and how you'll combat it, you'll only reinforce the stereotype that security is a technical topic, rather than a business one. Instead, keep the spotlight on business implications, such as financial risks, and only discuss specifics enough to make your BOD confident that you understand the threats and are doing what must be done to prevent them.
Among the most important risks to highlight are potential brand and reputational damage; breach cleanup costs, such as those for lawsuits, forensics, and credit reporting; and theft of corporate intellectual property, which could result in a loss of competitive advantage, negatively impacting the company’s bottom line down the road. In many organizations, security and IT are still seen as cost centers. Show your BOD that security failures will be much costlier.
Keep your presentation digestible and relevant
To keep the presentation effective for your non-technical BOD, stick to risk metrics and high-level strategy descriptions and performance indicators. Educate your BOD on leading and lagging risks—leading risks, like data on new classes of threats, are predictive in nature, while lagging risks, like vulnerability scan results, are reactive.
Using analogies and comparisons to breaches in similar industries or at similar companies can help drive your points home. Make use of data-breach headlines and remind your BOD of worst-case scenarios, like The Home Depot and Target. Target’s CEO and CIO were made to walk the plank, and remediation efforts following the Target breach were initially estimated to be $100 million, but now look likely to exceed $1 billion. Those are numbers to get any board member’s attention and will let you demonstrate how your initiative is keeping your company from meeting a similar fate.
Bring in key IAM metrics
Again, avoid getting into the weeds when you discuss the success of your IAM implementation. Instead, look to demonstrate the concrete value that your IAM initiative has brought to the business. One way to do so is by introducing strategic metrics, such as:
- Number of known cybersecurity vulnerabilities and if they are going down over time
- Number of cybersecurity incidents in a given week or month and if they are going down over time
- Number of attacks that are successful and how long it took you to identify them
- Dollar amount spent on remediating accounts
- Percentage of attacks that originate from third parties and how those risks could be minimized
- What does your company stand to lose, and what are you willing to lose?
As stakeholders, your executive team needs to stay informed about the company’s cybersecurity risks and the successes of your IAM system.
Continue aiming to modernize your company’s security plan and identity management system. If you strive to evolve your information security system, track your wins, and communicate with your corporate leadership, your company will be well on its way to a much more secure future—as will you and the C-level executives on your team.