How to get fast board buy-in for your cyber security project

Cyber Security ManagementBoards & GovernanceProjects and ChangeLeadership
Written By Matt Palmer

To experts, the business case for cyber security change programmes can seem clear as day — it can be hard to understand why rational business leaders may say no to investment. Yet they do.

Here’s how to get a yes.

Winning board support for cyber security projects is a critical challenge for security leaders and Chief Information Security Officers.

Recently I was asked by a CISO (let’s call him Robert) why his Risk Committee pitch was not being heard. This was not an issue of slide content: the topic was important and the case for change was clear, but the committee simply did not seem engaged at all.

He is far from alone in this problem, with research indicating that some 75% of board members want to spend more on cyber than they do in practice.

This is a significant problem for security leaders, as a large part of leadership in cybersecurity is convincing stakeholders that supporting proposed a change is the right thing to do.

For Robert, the issue was not that he was losing the committee’s attention, but rather that he was never winning it in the first place.

He was not wasting their time. He had been told he would only had five minutes, and had prepared accordingly, so as he sat outside the boardroom waiting to be called in he was confident. At the previous meeting he had explained to them that some 80% of the company’s externally facing applications had never had security assessment, and so the organisation was taking a significant level of risk — with a future breach a near certainty. The committee had asked for his proposal to fix this, and he was ready to go straight in.

Robert jumped in with the plan - “further to my last report, we propose to invest $400k assessing the risks of our legacy websites. We have failed to take action in the past, and if we do not address this now we run a significant risk”. He went on to show that the risk exceeded the cost to fix by a factor of 10 times, that they were ready to start, and that the project could be delivered within 12 months.

It seemed cut and dried: he had the analysis in his report to back it up, and the funds were available to do it.

The committee should have been engaged but they were drifting to their phones and laptops. The result was uncertainty from committee members and a request for a further report in 3 months — during which time, Robert knew, the risk could easily materialise into a major cyber security incident.

Robert was clear about the audience and the pitch, however because he did not renew their attention from the previous meeting the rest of his pitch fell on deaf ears. He forgot that in the time since they last heard from him the committee’s attention had been on many other matters, and he would need to remind them why this was important and deliver a structured case for his plan.

In his defence, there was no time for a full 30-minute presentation, and delivering a structured business case in a few short minutes seemed impossible.

It’s not.

By using the simple 10 step method below, you can deliver an effective pitch and ensure that you have the attention of the room throughout.

The 10 steps to cyber security board pitch success

  1. Purpose
    State simply the decision required so everyone is clear what they are being asked for. For Robert, this could be “I am requesting the committee’s support for a $4ook spend over 12 months to address legacy application risks”.

  2. Engagement
    Obtain engagement by highlighting why the issue matters in as few words as possible, connecting with any previous discussions to refresh memories. For example “In my March report, the committee recognised that this was a critical and urgent issue and commissioned me to draw up a plan to address it”.

  3. Empathy
    Recognise the decision that the group has to make, whilst avoiding any appearance of blame. Whether right or wrong, past decisions were made for a reason and there is usually no need to pick them apart or challenge them. “Recent incidents in the industry have shown that this now poses a much greater risk than we knew when these systems were introduced”.

  4. Problem
    State clearly what the actual problem is. “We have 420 legacy apps of which only 31 have been assessed. Of those assessed 27 had critical issues — so we estimate that approximately 90% of the remaining sites will have issues we will need to address quickly”.

  5. Impact
    This is business impact, not technical impact. If you have done a quantitative analysis this is where to raise it. If you have not, a qualitative comment will often suffice. “Many of these sites hold confidential data on our customers. If this is breached we will lose their trust and suffer significant costs, fines and penalties”.

  6. Solution
    Provide the answer. This is what Robert jumped to directly — he spent all his time here, which is why he was not heard. We are only seven sentences into our pitch now (count them!), but those seven sentences really matter. Now we are all on the same page and ready to hear the proposal. “We will assess 35 sites a month on a risk prioritised basis over the next 12 months to cover the remaining 389 sites before the end of the year. As soon as we become aware of issues we will commence remediation, and we will report back to the committee quarterly on progress”. Offering to report back helps to build confidence and trust.

  7. Obstacles
    Acknowledge any expected challenges in delivery. If you have done your research, you will understand the interests of those around the table and be able to instinctively spot the questions they are likely to raise. Even if not, major concerns are often easy to see by looking at it through the eyes of stakeholders. Usually these are political, resource related, or confidence related. “We know this will take some time for the application support team, and they are under pressure right now due to major system upgrades.”

  8. Resolution
    Address the obstacle head on. “We have spoken to the Application Support Manager and IT Director, and confirmed that we can schedule work away from the end of the month when they are busiest”.
    Note — you may need to repeat steps 7 and 8 if there are a couple of issues you know will be raised. If there are more than two, create an appendix and refer to it: “We have socialised the plan widely and have addressed the key issues as shown in Appendix 1. I will be happy to discuss this further with you if there are any concerns”.

  9. Proof
    Social proof is not a wild-eyed theory. Most rational human beings want to know that regardless of your internal analysis, there is some external frame of reference. If you don’t address this directly, you may be asked to pause to get an external view. It’s not personal. The good news is that it can be addressed quickly: “Our competitor XYZ Plc implemented a similar approach over three years — however given their major breach last month, a year into their program, we believe we should move faster”.

  10. Ask
    This means going back to the beginning and the original request. “I would like to request the committee’s approval for the program as proposed”.

As you will see, this is quick to do - as little as 13 sentences.

It takes the audience with you as an ally, rather than appearing to apportion blame or responsibility for the status quo. It uses your prepared presentation for support, but does not assume pre-reading or duplicate it’s content. It has a clear beginning, middle and end: saying what you will cover up front to avoid surprises or lack of clarity about the ask, covering it concisely in business terms and addressing any areas of contention, then reminding the audience what you need from them.

And you can do this in less than five minutes. Have a try.

Matt Palmer
Previous

Does moving to the cloud mean compromising on security?
Next

Lessons from the MGM cyber attack