Ross Young, the CISO in residence at Team8 and the creator of the OWASP Threat and Safeguard Matrix (TaSM), recently shared his insights on how cybersecurity professionals can effectively tailor their presentations to the board. In an interview, he emphasized the importance of aligning security strategies with business priorities to gain support and resources for cybersecurity initiatives.
One key consideration highlighted by Young is the need to frame cybersecurity initiatives in terms of business growth and revenue impact, rather than just risk mitigation. Board members are more likely to support security programs that directly contribute to the company’s bottom line. For example, demonstrating how security measures enhance customer confidence and drive sales completion can resonate with the board. By linking security initiatives to measurable business outcomes, cybersecurity professionals can strengthen their case and secure buy-in from executives.
Young also addressed common misconceptions that boards have about cybersecurity. One major misconception is the belief that sufficient spending alone can prevent all cyberattacks. Young emphasized the need for a coordinated effort across all three defense lines – operational management, risk management, and internal audit – to create an effective security posture. He also noted that certifications like ISO 27001 and SOC2 Type 2 do not automatically translate to robust security and that security ownership begins with first-line operational teams.
When presenting to the board, cybersecurity leaders may face pushbacks or challenges in communicating persistent risks transparently and discussing risks that could create liability for the company. It is crucial to frame ongoing risks in terms of business impact and present realistic approaches to risk reduction over time. Additionally, security leaders should prepare concise, business-focused briefing materials and advocate for dedicated sessions to ensure proper oversight of cybersecurity matters.
In terms of metrics and KPIs, Young emphasized the importance of focusing on trend data and connecting metrics back to business objectives. Metrics that demonstrate business impact and risk, such as risk reduction metrics, security investment ROI metrics, and incident detection & response metrics, are effective in communicating cybersecurity status to a non-technical audience.
To foster ongoing dialogue with the board, Young recommended regular engagement through executive risk committees or alternative channels for ongoing communication. Monthly meetings with the C-Suite can help security leaders maintain consistent visibility of evolving threats and progress on security initiatives. By establishing a predictable rhythm of communication, security leaders can build stronger relationships with executives and ensure cybersecurity remains a continuous part of strategic business discussions.
Overall, Young’s insights provide valuable guidance for cybersecurity professionals looking to effectively engage with the board and align security strategies with business priorities. By framing cybersecurity initiatives in terms of business value and maintaining ongoing dialogue with executives, security leaders can secure support and resources for their programs and ensure cybersecurity stays at the forefront of business discussions.