Security is a notoriously difficult area to get board approval for increased budgets, even though organizations are considerably more aware of their risk.
Nobody wants their company’s name stuck in the news for days, impacting its stock price while regulators and class action lawyers calculate the impending fines. However, from the board’s perspective, security is not part of the revenue-generating side of the business.
All too often, spending on security is a difficult pill for the board to swallow since they simply do not see a return on their investment.
As a CISO, you must find a way to dig yourself out of this hole and explain to the board how you’re tackling the organization’s most pressing security challenges. This must be a way that will not only have enough of an impact on keeping the organization secure but also benefit shareholders.
This task is often easier said than done.
Speak Their Language: How CISOs Should Talk to Their Board
Talking to the board should be less about bits and bites and more about business with dollars and cents. The good news is that 88% of boards now view cybersecurity as a business risk. But that does not mean that they fully understand the issues.
Stick to speaking about tangible risks with two to three slides they can visualize. One should explain your organization’s pain points and the potential negative outcomes for the organization if they do not take action.
Try to keep this list to the most pressing threats, both to keep their attention and to raise your probability of success in getting support to address that risk. One key area that should be at the top of your list is securing identity and access in your cloud environments.
Explaining Why to Focus on Identity and Access Security in the Cloud
Looking at the recently released Verizon Data Breach Investigations Report for 2022, credentials were behind 50% of breaches, outpacing phishing and vulnerability exploitation.
So how should you present this information to your board?
- Explain What’s Changed. Even if your team had solutions in place in the past for monitoring network traffic, pretty much all of those tools will not do you much good when your data/ops move to the cloud.
- Break Down the Risks. Focus your presentation on something specific like the importance of safeguarding your highly privileged identities that can access your sensitive crown jewel assets. Highlight that these are the identities that can not only read but often manipulate company financials, customer data in Salesforce, access your production infrastructure in AWS, your source code in GitHub and perform many other actions that can put the company at risk.
- Show Value. From my experience, the way to win hearts and minds is by showing the value you can give back to the company in terms of time freed up and reducing incidents that can cause damage. After you’ve educated your board on the risk, the next step is to show them how you will help them with the right set of monitoring and controls.
How to Win
Have a strategy of which solutions you need and recruit allies that will support you. Sell your CIO on reducing the time spent on validating access before granting it, as well as the total number of tickets piling up at the help desk.
Get legal on board. Access reviews are a huge part of compliance. If you’re secure, then you’re probably compliant. These reviews are also a significant time suck, with many of their team having to track down who is using which apps or services, who the app owners are, and only then after they come to a reasonable assessment of who has access, do they try to figure out who should have that access.
One final piece of advice. CISOs must stand up and demand a more prominent place at the table. While the CIO plays an important role in keeping the gears grinding, ensuring that services are available and reducing friction to a minimum, the CISO has a more expansive role in many ways.
Thinking about the classic CIA triad, the CISO needs to worry not only about availability but also the confidentiality and integrity of the organization’s systems and data. If any of those elements are compromised, the whole company may find itself on an early summer vacation.
Hopefully, you can come to the table with a clear presentation of what you as a CISO need to keep everything working smoothly and securely, adding the value the board understands and supports.