How to Win the Boardroom Conversation on Security
By Bill Murphy, President and CEO of RedZone Technologies
Corporate decision makers grapple with high-level business issues every day. More than most people, Executives and Board members appreciate simplicity, clarity and transparency. So when it comes to getting them up to speed on complex business challenges, like IT Security, the role of the CIO is to provide the foundation for well informed decisions. If successful, everyone will be ready and willing to join in the defense of the enterprise.
However, this is easier said than done…
While most Executives and Board members are aware of the importance of IT security in a general way, they may be disconnected from the issues of implementation, governance and remediation. Consequently, they may not have a clear picture of the threat environment. Some may feel confident that current security measures are effective -- as far as they know, no information has been lost, stolen or hijacked for ransom.
Breaking the Comfort Zone
If the Board is not fully engaged in the real fight for IT Security, it may be that members are uncomfortable about leaving the familiar confines of normal business functions. Typically, the last thing a Board member or committee wants is oversight responsibility for IT Security. However, they do not really have a choice in the matter and it is the job of the CIO to help educate them.
To do this effectively the CIO must employ a bit of creativity to engage the Board. Here are some proven ways to win them over:
• Share the roadmap -- Let the Board know the company’s current IT security status and where it needs to be. Share the vision. Be transparent.
• Talk about risk -- Discuss the ramifications of the Board’s decisions or inaction. The members are adults. Treat them as such. Tell them how it is.
• Discuss the impact -- Tell senior executives what measures are in place to minimize the impact of a security breach. This should include a review of disaster recovery and business continuity plans.
• Consolidate the inputs -- One story. One mission. One plan.
• Leverage outside experts -- The insights of consultants, vendors, and compliance auditors will often have a high degree of credibility since they are free of internal bias.
• Use current events -- The media continually cover major attacks impacting business and government, especially if collateral damage is involved. Seize these opportunities to get the attention of the Board.
Briefing non-technical executives on IT Security is a challenge because the CIO must quickly convey complexity, quantitative information, and alternative solutions. Fortunately, the human eye has evolved to take in enormous amounts of data. A simple graph, for example, can distill tremendous amounts of data into an easy-to-comprehend view, enabling everyone to see the big picture.
With the application of these principles through the use of visualization and planning tools, the CIO can communicate a clear and easy-to-understand picture of the current status and road map, and in the process create transparency that bolsters confidence among the CEO and Board.
Another benefit of a discussion guided by visualization is that it is less likely to get sidetracked by “shiny toys” -- for example, an executive saw a vendor’s sign in an airport or read a “cloud strategy”’ article. Shiny toys can generate some interesting conversations, but it is up to the CIO to keep the Board’s focus on IT Security mapped to tactical execution.
Visualization tools, like RedZone Technologies' CIO Scoreboard, include info-graphic “snapshots” in time that can help the CIO track how effectively the IT security program is being managed. They enable progress to be demonstrated to the CEO and Board in a clear and concise way, and in language that will be easily understood by everyone.
Other beneficial outcomes of visualization tools include…
• Provides the ability to measure the accuracy and soundness of IT Security readiness and present the findings in a way that provides the Board with strong feedback on the direction of spending related to the roadmap.
• Empowers the IT team to easily understand the gaps in important areas while providing a clear view into prioritizing actions, plans and investments -- without getting lost in complexity and uncertainty.
• Guides the purchase of appropriate products and eliminates product functionality overlap.
With the IT security story conveyed within the context of the business strategy, the CIO will find the Board more attuned to supporting initiatives with the right security investments.
Keeping the Board informed about IT security is an ongoing responsibility; doing it right will help ensure the Board’s attention, trust, support and cooperation as a robust security regime emerges to protect the company’s data, applications and intellectual property.
About the Author
Bill Murphy is President and CEO of RedZone Technologies, which he founded in 2001. The Annapolis, Maryland firm provides enterprise security solutions from core to edge, specializing in enterprise IT security, data governance, and managed services. Bill is the impetus behind the visualization tool CIO Scoreboard, which helps CIOs communicate transparently to the CEO and Board, simplify IT security issues, and obtain support for IT initiatives.