As the Websense CSO, I often get a chance to discuss key security issues with other CSOs and CISOs worldwide. I was recently in St. Louis speaking with a group of CISOs about how they are preparing for 2012. Right now, many companies are meeting to discuss how to allocate budget and resources for the new year. Often it also means discussing what went well and what didn’t.
The resounding theme in my discussion with other CISOs was that the board of directors, for the first time, is really interested in making sure their company is secure. Many CISOs are getting questions specifically about whether they are protected from targeted attacks, malware, and data breaches. And many of these questions are coming from people who don’t really know what terms like “targeted attack” or “malware” actually mean. This trend tracks to our recent Security Pros & ‘Cons’ research. We found that 91% of IT security managers report that new levels of management have engaged in data security conversations in the last year.
So, how should you speak to your board of directors about threats and security?
1. Keep it simple.
Avoid industry or technology jargon. If they want more technical details, try explaining it to them as if they were a member of your family. While your board members are very smart, they do not have the technical knowledge you do. You are the IT security expert and need to communicate in terms they understand. This often means equating security to dollars and cents. Or as I often refer to it, “dollars and sense.”
2. Use images and numbers.
Your board of directors understands numbers. Set the scene with stats, like at “any given time our employees are only two clicks away from a malicious website.” Tell them you stopped XX attacks, XX pieces of confidential data from being stolen/misused, and implemented XX new programs designed to keep the network safe.
I also encourage you to use images. Work with your marketing team to create a mash-up of your web security tools and a spinning globe of the earth. Show a storm cloud advancing over certain cities where your employees are. It will show your board members where the threat is the highest. There is no doubt your board will ask: "Are you 100% sure you won’t be hacked?" You can reply that while you can’t stop the rain from falling—the company needs to be prepared for the storm and needs to have the proper tools in place to reduce the damage.
3. Repeat yourself often and in an interesting way.
You need to repeat your message multiple times for someone to remember it. So before you get into a board meeting, write out one short sentence that captures what you want the board to walk away with. For example, “We are protected from cybercriminals” OR “We need more funding for IT security or we will get breached.”
Repeat this message at least three times throughout the presentation. Don’t do it in succession (because you will sound a bit nuts), but constantly.
Your communication repetition also needs to extend beyond the board room. You need to communicate on a regular basis with management about your successes or needs. The only time they hear from you can’t be when you need funding or once a year. Once a quarter is the bare minimum—and once a month is ideal.
Here’s a great CSO article on the 9 secrets to getting stuff done in a company. Many of my tips are included in here, as well as insight from other top CISOs in the industry. Also, be sure to check out the Websense Security Labs 2012 predictions. There are some interesting insights on coming trends.
Feel free to leave a comment below on your 2012 plans or any tips you have for effectively communicating to management. You can also connect with me here http://www.linkedin.com/in/jasonclarkfl and we can discuss your 2012 plans.