We have talked about how information security can be seen as something mythical and scary; we have talked about how we can get our employees to understand information security and now we will talk about how we can get the board onboard.
Teaching a board about security can sometimes be a hard task. You need to be strategic and structured in your approach to ensure they understand the importance, risks, and measures required to have an organization that has satisfactory information security work.
Below some steps to effectively approach the board can be found. But remember, all organizations look different, all boards have different interests, and all people work differently.
Understand the Board
To begin with, you need to understand the organization, but that we will leave to another article. In this article we target the board, and you need to start with assessing the board's current understanding of information security and the related risks. This is important to be able to tailor the presentation and adapt it to their level of understanding and avoid getting too technical. In addition to this you also need to have some sort of idea of the willingness the board possesses when it comes to the security work. For example, are there regulatory requirements? Has something happened such as a breach? Interested in security?
Importance of Security and key security concepts.
It is important to explain the significance of information security for protecting the organization's assets, reputation and resilience. Here it is good to provide real-world examples of security breaches and their impact on the affected organization. When presenting the measures start with introducing the fundamental information security concepts such as encryption, firewalls, multi-factor authentication. Discuss the importance of data protection and why the organization needs to implement such measures. If you start the work of presenting simple and often inexpensive measures. Here you have planted a seed of thoughts and can gradually work your way up to the measures that will cost more.
Present the risks
You need to present the relevant threats, vulnerabilities and risks to the board. When you do present, and start a discussion about the potential financial, legal and operational consequences of a security breach. If you include the board in your thinking patterns and explain why you have the thought, you will have a greater chance to get them to agree with the proposed measures if they are included. When presenting the risks and needed measurements it is often an advantage to use charts, graphs, and other infographics to make the information more understandable.
What do we have and what do we need?
You have already planted a seed of security thinking and hopefully the board have started their own train of security thoughts now when you have presented the risks. Now it is time to look at what the organization already has in place and what may need to be implemented.
Start with presenting the organization’s existing security policies, frameworks, and standards (e.g., ISO 27001, NIST). Explain how these frameworks give the organization support in mitigating risks by having clear roles and responsibilities and a standard way of working (depending on situation).
After that what legal and regulatory requirements do the organization need to follow? Invite the board members to discuss this question and what consequences of non-compliance, guide them where it is needed but the best result will come if they come to the realization by themselves. After that, explain how compliance with the relevant laws and regulations align with the overall security strategy and offer clear, actionable steps for the board to support and enhance the organization’s security posture. Here include budget considerations, resource allocation, and strategic initiatives.
Also, do not forget to explain the organization’s incident response plan and the board’s role during a security incident. Inform about the importance of preparedness and regular drills. It may take time from their other work but will save a lot of time, money and headaches if something happens.
Role of Governance
Once again highlight the board's role in establishing a good security culture and the importance of their support in implementing and maintaining security measures. Explain how regular reporting helps monitoring and improving the security levels and recommend continuous learning and training programs for the board to stay updated on emerging threats and best practices.
Everyone that ever worked with security knows that sometimes the board does not seem to be willing to put money on security. Do you recognize this? It is important to approach the situation strategically to shift their mindset.
Understand the resistance
You need to understand the resistance, you need to identify the reason, is it due to cost, lack of understanding or perceived inconvenience? When you know, or think you know, the reason, address the concerns directly and open up for discussion.
Highlight the advantages
Present the information security work as a business enabler. Explain how it can protect the revenue by preventing or minimizing impact of incidents. It would be good if you here could show how it can protect reputation by using real life examples of how organizations lost market shares after incidents. Inform how security work can give a competitive advantage.
Focus on business risks
Frame information security as a critical aspect of the business risk management by explaining how information security vulnerabilities can lead to significant business risks.
Continue by explaining how security measures done right can mitigate these risks and protect the organization's assets.
Stakeholder expectations
The stakeholder has expectations on the organization, this includes the security work to protect their interest. Discuss the expectations of key stakeholders, including customers, partners, and investors, regarding cybersecurity. Explain how fulfilling these expectations is important for maintaining trust and business relationships.
Highlight Real-World Consequences
Sometimes numbers and money are the only thing the board will listen to. Then it is time to quantify the potential impact on the organization. This you can do by providing case studies of companies that got fines due to poor security practices. Highlight the financial losses, reputational damage, and operational disruptions the organization suffered. It is even better if you can use industry-specific examples to make the risks more relatable.
If needed, use metrics and data to illustrate the potential costs in terms of lost revenue, legal fees, regulatory fines, and recovery efforts. Also, compare these costs to the investment required for implementing robust security measures.
Incremental implementation of measures
To get the board to agree with needed change, start with suggesting small, incremental security measures that can be monitored and measured to see their effectiveness without requiring a large investment to begin with. Use the, hopefully, success of those measures to get support for more comprehensive measures.
Again, all organizations look different, all boards have different interests, and all people work differently. There is no “one-size-fits-all”.