Communicating The Value of Security to Executives and the Board
Published On: October 26, 2022
For security leaders, talking to executive peers, senior management, and board members may be intimidating. Your peers manage much larger departments with critical functions such as finance, operations, and legal. Sometimes senior management is so busy that finding even just fifteen minutes is a challenge. Finally, Board members are often former or current business leaders with extensive backgrounds, experience, and minimal time. How are you, the leader of your organization’s security function, able to connect, collaborate and make a case for how much security matters to the organization?
It is essential to look at your peers, leadership, and critical stakeholders as people focused on their job. They have important responsibilities in managing their departments and working towards shared goals for driving the organization forward. As a fellow leader in the organization, understanding the context of others is the first step to communication.
Context is critical when it comes to communication. Understanding your peers’ pressures and drivers will enable you to position your work concerning it. For example, the CFO must manage the organization’s budget and ensure revenue flows exceed the outflows of spending. Fraud and waste are huge concerns, whereas regulatory requirements matter but are not as important in their context. For the Chief Legal Officer, regulations are a huge deal, but cost-saving is not necessary.
Once you have established the context, the next step is establishing collaboration areas. As a security leader, your goals are multi-faceted but heavily focused on ensuring the security of the data your organization manages. You connect with IT systems, HR, physical security, operations, and legal, among many other areas. The connection is usually around data security, but you need to identify how your work aligns with and impacts the goals of other departments. Leveraging the context you have built, when you interact with executives, you should position your efforts in line (where possible) with their goals. For example, you can emphasize fraud reduction with the CFO, which is important to them and you. Better yet, you can also talk about how your asset management tooling can help identify end-of-life equipment for recycling and better infrastructure cost management, which should be music to their ears, considering the more significant impact on the bottom line.
As the security leader, you play an important role as the cyber risk manager in most organizations. However, in most organizations, you are seen as someone who deals with “unseen” threats and defensive technologies like firewalls. They may not realize your role in asset management, applications, human resources, and vendor management, which is often more directly related to your peer’s roles. How can you insert yourself into the conversation, even with understanding their context and intentions to collaborate?
The key is evidence. Specifically, you need corroborating evidence. Corroborating evidence is evidence that supports your position and strategic direction, and supports how you collaborate with peers. As a security leader, you know poorly configured cloud applications create tremendous risk for the organization. You also understand that too many unused accounts are a drag on the organization’s financials and can impact operations if too many individuals can access and edit files. By performing a cloud security assessment, you can identify areas of security concern, outdated accounts, and over-permissioned users. When you meet with your peers in finance and operations, you now have a direct benefit to their departments that you can share, allowing them to align with your security goals for the organization.
Another form is “evidence’ and one of the most impactful ways to demonstrate the strategic direction of security is through a risk assessment. A risk assessment is when an organization reviews its cybersecurity posture through the lens of threats, vulnerabilities, and impact. While some organizations can do this internally, many choose to bring an outside expert to review various controls, apply threat models, and consider the impact of a cyber incident on both operations but also regulatory concerns.
The output of a risk assessment, and why it is such good evidence, is a concrete prioritization of efforts aligned with cyber risk. As a security leader, risk assessments puts you in a strong position to make recommendations for areas that require resources.. Considering all that we discussed above, the risk assessment must be shared and aligned with context and collaboration. While your highest risk may be the end-of-life assets, pushing for change with finance or IT based on the risk assessment alone will be more challenging than communicating using the context of how better asset management may save money and reduce risk.
When talking with senior leadership and boards, the value of the risk assessment increases dramatically. These leaders and stakeholders seek evidence, and evidence derived from careful analysis and potentially external perspective is valuable. When communicating with these leaders, sharing that data, then putting it into context and alignment with their needs, such as organizational growth or avoidance of legal risk, puts you in a position of strength. You know what needs to be done, but having the evidence and delivering it in a manner that meets your audience where they are will help ensure that you get the support and resources you need.
Communication is one of the most significant challenges for many security leaders, but it does not have to be. By considering your audience’s context and how you can collaborate and seek corroborating evidence to support your communication, you can achieve greater levels of communication with peers, senior leaders, and boards. Every opportunity to communicate with these groups should be pursued with these best practices in mind, as every opportunity could be the key one that helps you achieve a new ally, more resources, or greater strategic alignment.
Stay up to date with cyber security trends and more