Welcome Guest | |
Follow Us:
    
Newsletter Signup:
Presenting to the Board: CISO basics
Khalid Kark of Forrester Research shares a few guidelines on how a CISO can present effectively to the board of directors By Khalid Kark, VP and Principal Analyst, Forrester Research, July 21, 2010

Only a few years ago, a vast majority of CISOs reported to the CIO. Their task was to run and manage the technical and operational security infrastructure. Reporting was easy.

CISOs reported on the operational status of the security infrastructure and provided a status update on projects. However, the increased regulatory and industry requirements and the ever-changing threat landscape, are making companies across the globe more anxious about their security and risk posture. As a result, senior management and the board are asking CISOs to keep them
informed and educated on security issues and significant areas of risk.

Forrester has seen a significant increase in the number of CISOs who are now reporting outside of the security organization and an even bigger increase in the dotted-line relationships to the CEO, President, board of directors, or executive committee. This visibility brings not only additional responsibilities but also an expectation that the security and risk management organization will be mature enough to understand business needs and articulate the security message in relation to those needs. This is surely a new territory for CISOs.

Effective Presentations

After helping many CISOs present to their boards or executive committees, Forrester has developed the following key tips that can help you present effectively to executive management and board of directors.

1. You’re the expert. Act like one - but don’t go overboard. The fear that you won’t be able to answer the board’s questions or they will try nailing you by asking trick questions is largely unfounded. Many of the board members have had only a rudimentary introduction to information security and are relying on you as the expert to clarify their concerns and misconceptions. But on the flip side, these will be the sharpest minds around, so make sure you do your homework and ensure that your claims are backed up by facts - and that your assumptions are documented and reasonable.

2. Be aware of topics that are relevant to the board. Some CISOs make the mistake of assuming that this presentation should be a holistic review of all security and risk management capabilities. Another mistake is to bring in operational and tactical information that the board doesn’t care about. The board is interested in the following areas—risk posture (including business continuity and resilience); compliance; audit results, and any other issue
that would affect the organization’s reputation or financial obligations.

3. Bring context. One CISO proudly proclaimed to his CEO, “We blocked 17,000 spam messages last week.” The CEO responded, “Isn’t that your job?” This exchange clearly signifies the importance of context. Without context, the CEO didn’t know how to take this piece of information. Try to bring in analogies, comparisons, and real-life stories to make a point, but make sure you provide context to metric your presentation.

4. Probe them on risk appetite issues. The interaction with the board provides you with a tremendous opportunity to gauge the risk appetite of the organization. The board shouldn’t be making decisions on specific policies, but it can certainly direct the organization on what the bounds are for those policies. The goal of the CISO should be to present information to the board to solicit their reaction and determine and direct their activities within the bounds provided.

5. Focus on the problem, but be prepared to discuss the solution. This is probably the most important tip. Make sure you’re not going to the board with a list of problems without any concrete solutions. It’s great to know what the top three risks are, but it will be reassuring for them to know that you have a plan to address those risks.



blog comments powered by Disqus
Digital Issues
View More
Sponsored White Papers

  • Multiple ways to build a Multi-tenant SaaS Apps

  • Global Study on Mobility Risks - India Study

  • Global Study on Mobility Risks

  • Security Pros & Cons : Infographic Summary Report

  • Security Pros & Cons : Research Report

  • Identity and Information Security Integration

  • How to Get Started with Enterprise Risk Management

  • Benefits of a Partnering with a Security Service Provider

  • Enabling Cost-Cutting Initiatives with eGRC

  • Best Practices in Log Management

    
Featured Videos
MasterCard's PayPass turns your phone into a smarter wallet
At CTIA conference in New Orleans, we got demo of MasterCard's PayPass Wallet. It can be used to book airplane tickets, pay for cabs or buy a coke with your phone
More Videos
Latest Security News
All Articles By Khalid Kark
Top Stories
CIO Life
‘My inspirations from life’ - N Nataraj, Global CIO, Hexaware
Winner of several prestigious awards, there are several important lessons from N Nataraj's career and life, which are inspirational for emerging CIOs. He shares his key inspirations from life, and the lessons learnt from every individual
BankTech India - IT News for BFSI Segment
We're on Google+
InformationWeek India on Facebook