As stated by Help Net Security: “Cybersecurity strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization.”
When it comes to initiating an organisation wide cybersecurity strategy, security executives such as CISOs, Heads of Function or Risk Managers often have their hands tied because they need to get agreement from the Board of Directors first.
87% of board members and C-level executives are not confident in their organisation’s level of cybersecurity.
The extensive cybersecurity threat landscape encompasses an understanding of the nature of the company’s enterprise, the industry, the market, and the constraints appearing upon the corporate, both internally and externally.
No regulation
There is very little regulation of cyber-space as in the real-world and social norms are easily distorted and exploited creating vulnerabilities for security threats. To protect against these vulnerabilities or threats need funding in resource and budget.
These protections use software, hardware and policies, and are typically referred to as countermeasures. Common countermeasures embrace firewalls, encryption applications, patch management and authentication techniques.
Companies have restricted sources to handle their risk and the Board knows it.
One important priority of the Board of Directors is to make sure that risks to the organisation are properly managed.
The more you know about the board members, the simpler it is going to be to narrate to them and win them over with arguments that can resonate to them.
The Pitch
Regardless of the organisation size or cybersecurity maturity level, a successful pitch to the board will depend on how well you understand your audience.
Make certain to familiarise yourself with each of the board members before getting into the room. Get to know their background, place and influence in the group, pain points and method to security along with their risk appetite and threshold.
Focus on the major methods that can assist to enhance your cybersecurity posture and strengthen your defences against threats and intrusions, equate risk to a financial rather than a high, medium or low weighting but be prepared to back your figures up with a sound risk algorithm.
During your presentation, you should ensure to clarify how precisely your cybersecurity technique will make a lasting impact on your organisation.
Make certain to dig up related numbers and statistics to bring your point throughout. For instance, your proposed cybersecurity technique might require 5% more budget but deliver measurable ROI because your threat publicity is lowered by 25%. Knowing the numbers will be a key strategy of convincing the board.
Analogy
Use an analogy to explain a complex subject in a format that the board understand.
cybersecurity can be hard to visualise for a person who does not readily understand the complexities, unlike physical security which can be seen and can be touched and is a good analogy to use.
Physical security is the safety of personnel, hardware, software program, networks and data from physical actions, intrusions and other events that might damage a company. This contains pure disasters, fire, theft and terrorism, amongst others. Physical security for enterprises typically consists of worker entry management to the office buildings as well as particular areas, such as knowledge facilities. All these can be mapped onto the cyber world making it easier for the audience to visualise.
Reference : https://www.hitachi-systems-security.com/blog/cybersecurity-board-of-directors/