There’s no shortage of experts advising infosec pros to “speak the language of business” when talking to management and boards. But what does that mean?
Richard Wilson, a partner in PwC Canada’s cyber security and privacy consulting practice, told this story at the annual International Cyber Risk Management Conference this week in Toronto:
“We went with the security group to do a presentation to senior management and the board, and I gave them one mandate: We’re going to talk about the program and you’re not allowed to talk about one piece of technology — no three letter acronyms, no DLP, IAM or anything like that.
“And they gave me a scared look. They asked, ‘How do I do that?’ and I said, ‘When you go to France what language do you speak? French. When you go to the board what language do you speak? Risk. They speak risk. So speak their language.”‘
For example, Wilson said, things like top 10 risks the organization is facing right now from a cyber security standpoint. Put them on a heat map — impact, likelihood. “Everybody gets that.” Where do we need those risks to be? Plot them on the heat map. How do we get there? Well, tell the board you need X dollars here and Y dollars here to move that down on the heat map.
“The board asked about our resources, timeline, implementation risks,” Wilson recalled.
The team got the budget it wanted.
That was one of the nuggets of advice Wilson and two other experts gave to infosec pros in a panel on choosing security technology as well as selling security to management.
Educating the board is part of the job, admitted Azam Dawood, the Bank of Montreal’s head of technology procurement. But, he added, the heart of a presentation should be why are we doing something? Don’t talk about tools and jargon. he cautioned. Board want to know what the risks of an action or inaction, and how the organization compares to its peers.
You’ll need to explain some components of the security plan’s defence and response strategy, as well as how a decision or purchase will impact customers.
Every medium-to-large organization needs to create a mature enterprise risk model, said Michael Eubanks, SVP of information technology and CIO at the Liquor Control Board of Ontario. There are quarterly reviews with the board of top risks and whether there have been any changes. Adjustments are made in technology, people or processes based on the organization’s risk tolerance. “That, in my view, has made the discussion around investment in security tolerable.”
Moderator Steve Tenai, a partner in the Aird & Berlis law firm, complained too many managers want short, crisp responses that everything’s OK. “I’ve been in meetings where (the security team)) tried to give a nuanced explanation.”
Some boards managers understand there are limitations in technology, he said — for example, that patches don’t get installed immediately — which can be a problem. “You need a nuanced discussion of risk and priorities without technology being a barrier.”
To managers and directors he would say, “You don’t need to know tech to get an understanding of where you should deploy technology, because it’s a discussion about risk: What are we trying to accomplish and bring risk within the organization’s accepted levels?”
What are the goals?
When talking to a board start by determining what the business is trying to accomplish, advised Wilson. That could be protecting data, growing market share, keeping electricity flowing an on. Then figure out what the security risks or barriers are to getting that done (for example, data breach, ransomware, internal vulnerabilities).
Only after looking at the organization’s objectives, its assets, processes and people can the CSO decide what technology is needed to deal with threats, Wilson said.
If the board and management team doesn’t believe in the security team’s work lines up what the business wants, “then we will be mis-aligned.
“At the end of the day, they’re investors. And if your investor doesn’t believe in you there’s a problem.”