Presenting the Business Case for Security to Your Board of Directors

By Jim Eckhart, Executive Security Advisor, Microsoft

In a landscape of evolving threats, cybersecurity is a critical discussion that must happen on a regular basis at the board level.

A favorite question that nearly all board members ask is: “Are we secure?” However, that’s a trick question because it entices a less-experienced security leader into a naïve answer: yes or no.

Board members want reassurance that risk is minimized, and that’s where the discussion must go. Risks cannot be eliminated entirely, so the focus should be on how to minimize them and to what extent. Minimizing risks does not only come at the additional cost of security investment and complexity of operations, but also at the expense of controls implemented within the business and the friction and loss of productivity that those controls might cause.

For this reason, it’s important for security leaders to shift the discussion from an IT-focused cybersecurity conversation to one of comprehensive digital risk management that addresses the complexity of securing core processes across the entire organization. In this article we will explore three different conversations that security leaders should have with their boards of directors on a continuous basis to align cyber-risk management with business objectives. 

Microsoft Security

Building and Implementing a Risk-Driven Program

Gaining stakeholder alignment is a difficult process when deciding what the security program should look like. This is often due to the disagreement and misalignment found in the management chain, which leads to many CISOs feeling conflicted and ill-equipped to satisfy the competing priorities across the organization.

Our recommendation to combat these challenges is to introduce a risk-driven security program. This program generally yields the most comprehensive and business-aligned approach to cyber-risk management.

A risk-driven security program is a bonus for the security leader because the risk ownership is shared across all stakeholders, meaning that the whole organization is thinking broadly about risk. In addition, this program tends to offer more complete funding that may also sit outside of IT, which means you get a much broader funding source.

Microsoft Security

The next step is turning everyone involved into a believer. A good way to do this is to conduct risk identification (see the chart above), which helps everyone understand who the threat actors are, what they are after, and how they might attack your organization. This allows organizations to build a program based on the risks that everyone has agreed upon.

These risks can then be plotted on a risk heat map (see chart below), enabling organizations to align risk tolerance with maturity targets set at the onset of the program. This helps teams address “Are we secure?” with the answer: “We have managed our risk down to a residual risk level that all of the stakeholders agree our organization can tolerate.”

Microsoft Security

Explaining How You’re Continuously Improving the Program

Completing all of the necessary “homework” in this first conversation actually helps organizations establish a strategic approach to achieve target maturity. The second conversation then centers on explaining to the board of directors what you are doing to improve the security program in a way that everyone is in agreement.

When setting these strategies, it’s important to help leadership recognize that conventional security tools have not kept pace with the rapid increase and complexity of attacks, the increasingly complex regulatory landscape nor the complexity of increasingly-distributed IT infrastructures.

The strategy needs to include solutions that can deal with the broadness of the modern-day attack surface. Microsoft offers broad solutions that cover three transformational, platform-enabled shifts of Zero Trust, Modern SOC, and Compliance, helping organizations reduce the number of tools they deploy, which increases productivity, security, and agility. Once the strategy is understood and endorsed by the board, it’s often followed by action-oriented sentiments such as: “What prevents you from moving faster?” and “Are you adequately funded to address the risks of the organization?” 

Assessing the Effectiveness of the Program

The third conversation to have with the board on a regular basis is around assessing and demonstrating the effectiveness of the program. There are a number of different ways to do this. One method to demonstrate executive engagement is to do tabletop exercises. These cross-functional exercises engage all levels of management and are an excellent way to test the effectiveness of the organization’s decision-making capability under duress, while also testing the prevent, detect and respond mechanisms of the cybersecurity program. Both the decision-making capabilities and the mechanisms of the security program have been tested time and time again in real life by those organizations that have been unfortunate to fall prey to real-world human-operated ransomware attacks.

Other areas to consider include conducting continuous red/blue/purple team simulations that detect organizations being attacked. Of course, the age-old staples of board discussions must continue to include insightful representations of workload posture management, workforce assessments such as training and information handling, as well as crucial operational metrics such as mean time to detect and recover.

Communicating security risk in business language while demonstrating that security is a business driver helps build confidence among the board of directors and executive leadership. Having these conversations continuously, while reinforcing the importance of resiliency, risk mitigation, and governance, allows organizations to better streamline their security stacks to add value, save on costs, and strengthen their overall security.

To learn more about communicating with boards on cyber risks, watch our recent webinar here.