Don't speak "geek" to the Board, or you will receive a cool reception.
At some point in our careers, many of us will be called upon to present to the board of directors. This could be to report the findings of an audit, compliance, or risk assessment. It could be to provide an annual or quarterly update on "the state of the union," to report a recent incident, or to request support for a new initiative.
Whatever the case, presenting to the board is no straight-forward task—and newbies would be well advised to thoroughly prepare for this kind of appearance, which differs greatly from meetings with the C-Suite, peers, auditors, consultants, and technology professionals.
Board members are elected or appointed by a corporation's shareholders to represent shareholder interests and to ensure that the company's management acts on their behalf. A board's mandate is to establish policies for corporate management and oversight, making decisions on major company issues. Every public company must have a board of directors, and in healthcare—regardless of whether that health system is "for-profit" or "not-for-profit"—boards almost always govern and provide oversight to the C-Suite.
Hospital board members are drawn from shareholders, investors, independent industry, and cross-industry experts, and often include academics and notable physicians. Overall, they are business people and know how to run a business. Most don't understand or speak technology—they are from business/finance/physician backgrounds after all. And almost none will speak or comprehend "cybersecurity". In fact, some might even have a difficult time spelling it! They do, however, understand business enterprise risk, profit and loss, and cost of risk acceptance, transfer, and remediation.
When addressing the board, CISOs need to speak in the terms and language that board members understand, rather than the language used to report to the CIO or other members of the C-Suite. Failure to do so will result in the message being lost or largely unheard.
Most board members picked up what little they know of cybersecurity from articles they read in the Wall Street Journal and other periodicals. They lack the technology backgrounds and domain expertise to understand the technicalities of cybersecurity.
So how do you establish a common language and communicate understandable metrics to the board?
By translating cybersecurity risks and strategies into business risks and strategies in order to make it relevant to board members. You likely won't get money for tools to tackle APTs, but you might get money to ensure the business stays up and running following an attack.
This was the subject of a presentation I gave this week to the Virginia HIMSS Annual Conference in Williamsburg, VA, where 300 or so healthcare leaders from across the region gathered to learn and share best practices on healthcare management, technologies, security, risk, and compliance.
So what were some of the takeaways?
Make Cybersecurity Part of Broader Enterprise Risk Management:
Use similar language being used to describe other business risks for how you talk about cybersecurity. Senior executives and boards are very familiar with assessing the probability and negative impact of risks, establishing a risk tolerance level, and developing risk management plans. If you use the same approach and terminology, it will help them to understand the big picture and make more informed decisions about the actions you suggest.
Talk about Program Maturity:
Maturity models are embraced by senior management and the board because they are familiar with them from many other programs, like quality management. Use the same tactics and language to discuss cybersecurity.
People, Process, & Technology:
Help senior management understand that cybersecurity requires the orchestration of people, processes, and technology—and that they have a critical role in it. Security practitioners usually fail by myopically focusing on just technologies and tools.
Establish a Culture of Cybersecurity:
Get everyone on-board with the mission to secure the organization; from the Board and CEO all the way to Interns. Buy-in from department leaders is especially important in order to establish cross-functional support for security initiatives.
Standards and Frameworks:
Aligning the security program with a widely used security standard or framework allows you to benchmark the program against other companies and that standard. Inevitably, senior management is going to ask you, “how are we doing against other companies?” If your program can reference the NIST Cybersecurity Framework, ISO27001, or CIS CSC, you will be able to compare the maturity of your program with a broad, diverse group of companies.
Addressing the Board
- First impressions count, so dress and act appropriately. That means business formal— better to be over-dressed than under-dressed.
- Research every board member on LinkedIn or in the press.
- Get coaching from a board member or the CEO to understand what the board is looking for from you.
Define your Purpose
- What are you there for? Own it!
- Be succinct, honest, and direct—Corporate Chieftains don't suffer fools lightly.
- Coach members on the basics but don't treat them as fools—they don't come from your world but they need to be educated on the basics in order to make informed decisions.
- Avoid the weeds—focus on the big picture and on business benefits, not security details.
- If you are lucky you will get 5 to 8 minutes to make your case—plan and use the time wisely.
- Talk to the CEO or other executives beforehand to ask for tips and advice.
- Prepare a well written brief and have the CEO's admin print and bind copies ready for the meeting.
- Use maturity models and frameworks. This is what board members want to see. This is how they think!
- Understand how the company compares to others. Saying that something is simply a "best practice" won't win you support.
- Anticipate questions—you'll get lots. Be prepared with smoothly delivered confident answers.
- Be prepared for politics! Boards have their feuds and sub-agendas - try and see through the fog
- Boards are strategic, not tactical—so stay out of the details. That's for the C-Suite to understand.
- Find metrics that tie into your mission for compliance, patient safety, up-time/availability, etc.
- Talk about reputation—it's the board's responsibility to protect it.
- Boards hate surprises, so provide a pre-brief before the meeting to help them adjust to new information—especially if its bad information.
- Keep things high-level and strategic—and above all business-focused.
- Avoid talking about specific technology, types of attacks, and especially acronyms.
At the end of the day, the board needs to feel confident that you as the CISO know what you are doing, and that the organization is in good hands. Presenting to the board is as much about you building your reputation with them, as it is about your program gaining the active support and sponsorship it needs in order to be successful in protecting the company.