How to Talk Security to the Board of DirectorsCSO's Advice: 'Come to the Board with the Full Story'
How security officers address their boards of directors is just as important, if not more, as the information they share. And as more security leaders take their security risk concerns to their boards, they have to ensure they accurately articulate their messages.
John South, chief security officer of Heartland Payment Systems, warns common mistakes can trip a good security plan and adversely affect subsequent project funding.
What's the No. 1 mistake? Security leaders who don't understand or see the big picture.
"If you're in the midst of a breach or a compromise, you may not have the full picture, but you need to have as much of the relevant case as you can," South says in an interview with Information Security Media Group's Tom Field (transcript below).
If the discussion is focused on standard functions, such as adding a new team member or purchasing a new tool, "then you need to bring that up as a full business case," South says. "Talk about the purpose; talk about the cost; talk about the impacts; and be able to present that as an effective business case to the board."
Security officers don't want to address their boards without first having enough information. Having all the details ensures boards can make relevant business decisions.
In an interview, South discusses:
- The keys to securing board support for IT security initiatives;
- Presentation skills security officers must develop for themselves and their teams; and
- Mistakes common mistakes to avoid.
South is the chief security officer at Heartland Payment Systems, where he establishes security strategy and internal risk assessment programs. South oversees Heartland's compliance with internal, industry and regulatory mandates, including the Payment Card Industry Data Security Standard. He also serves as Heartland's liaison with security professionals in the Financial Services Information Sharing and Analysis Center and is a member of the Payments Processing Information Sharing Council.
Before joining Heartland in September 2009, South held leadership roles in information security for Convergys (Intervoice) and Alcatel-Lucent. He spent several years in Belgium and Paris leading Alcatel's European information security operations.
Keys to Board Support
TOM FIELD: What are the skills that you rely on when you're presenting successfully to the board of directors of an organization?
JOHN SOUTH: I think one of the most important points when you're speaking to the board of directors is the ability to be able to extrapolate the relevant points that you want to make to the board of directors quickly, considering that you're doing that from a minutia of data that bombards you all day long. Find the relevant points and put them in a manner to the board that they can quickly see the bigger picture and see what impact it has on the company and what impact it has on the operations, etc. Focusing on those impacts and remediation efforts are very important when you're presenting to the board.
Also, it's not a question of blame at any point in time. When there are security issues, they need to be discussed openly with the board so that they understand in their role as governance of the corporation what impact those points might have on the company itself.
And finally, it's being able to take those relevant points [and] capture those in a mechanism that can be easily observed and seen by the board in a way that they can find those big points. So for instance, you might use score cards or you might use dashboards or whatever, but with things color-coded, things that are relevant might be a different color than things that are just informational so that they can quickly get to the points. It's important to understand when you're presenting to the board that you generally have a very limited period of time to talk with them, and, being able to get your points across, have them understand what your points are and come to a decision is usually a matter of managing time as much as it's managing information.
FIELD: What have you found to be the keys to securing the board support for the IT security initiatives that you've brought to them?
SOUTH: I think the most important aspect of securing board support is to come to the board with a full story, to understand not just what the relevant point is - the security issue that you might want to be discussing - but also to have the mitigation efforts understood, to have the cost factors understood and to be able to explain impacts, both short and long-term. In essence, just basically have the entire business story around the issue that you want to present to the board, but again in a manner that you can present it quickly, effectively and get the point across to the board.
Presenting Security Issues
FIELD: And before you even get to the board, what have you seen to be some of the inherent challenges of bringing security issues to the group?
SOUTH: Going back to just looking at the vast amounts of things that you look at on a day-to-day basis as a CISO, you see a lot of security issues. You see a lot of security activities taking place. Obviously, you've got lots of hardware-application issues that you're able to bring all of that into some mechanism that you can present to the board to give them a fair picture of what the relative risk is to the company at any point in time. Keep in mind that it's extrapolating from a huge amount of data to a very small amount of data, but you have to find those things which the board finds necessary to make their decisions. That's generally the biggest challenge, making sure you're getting the right things to the board so that they can make the right decisions.
FIELD: Now have you overcome challenges or seen individuals overcome challenges, and I've got to assume that there can be a language barrier there as well when you're addressing the board?
SOUTH: You've got to keep in mind that the board, as the governance function for the corporation, sees things from a business perspective as opposed to say necessarily a technical perspective. The biggest challenge that you may have is how can I take these technical things and turn them into elements that a business man can understand. Now don't get me wrong - I can guarantee you when you talk to the board, even though some of them have accounting backgrounds or some of them may have been in corporate governance for a long period of time, they can come up with some really good questions, even on the technical aspects of security, and much of it is driven by what they may hear outside the company, either in their own firms or in other activities that they participate in.
They bring a lot of these outside issues that they hear and they can ask some pretty pointed questions which get down to the technologies that may be involved, but in general they look at security, just like any other aspect of the corporation, as a business function. When we forget that security is really about business, then we're forgetting why security is actually in the part of corporate governance itself. Really that's why we're here - to make sure that the business can operate safely and securely. Overcoming that particular aspect and being able to take yourself and step out of that technology role and be a business man and being able to help the board understand the business aspects of the decisions can be an interesting challenge sometimes.
FIELD: We learn from our mistakes. What would you say was your worst experience presenting a security issue to a board?
SOUTH: I have a very good relationship with our board, so I think I'm pretty comfortable presenting pretty much anything to them. However, obviously I think the most difficult time of presenting anything to the board is when you have to talk about something that's anomalous to normal activities. So if there was a security glitch or if there was something that's not a normal discussion but something that's a little bit more difficult to explain, something that has a more in-depth technical aspect to it, etc., those are the times when it's most difficult because you're trying to understand yourself what may be the full ramifications of something and then being able to translate that back into a good business case, for the business can sometimes be a little bit more challenging than others. So I think that's probably the worst experience, just having to explain impacts and elements of anomalous activity or glitches that you might see in security.
Skills CISOs Need to Develop
FIELD: Let's talk about advice for other security leaders. What are the skills that CISOs need to develop for themselves and on their teams so that they can address the board most effectively?
SOUTH: I think it goes back to understanding that even though many CISOs and particularly their teams are very talented technical people, the difficulty in speaking to the board is you have to be able to think like a business person. Take that security incident and capsulate that inside a business case. What's the impact? What are the remediations? What are the costs? Understanding how to relate security issues as if they were business decisions is something that they need to work on. So whether that means taking business classes or understanding how to build score cards or understanding how to build dashboards, those I think are all important skills that they need to develop.
Probably one of the most difficult things to do, whether you're presenting it to the board or even to just a presentation, is to be able to take a number of different diverse security concepts and capture them in one page so that you might be able to say to a board, "Here's our dashboard. It shows you the relative risk levels of security at this point in time." How you capture that and understanding how to do that, how to develop that or a score-card or something that effectively conveys security knowledge over to the board is a skill that has to be developed.
I know many security people that have gone back to school after their technical training and continued to develop themselves, technically obviously as they go along, but have gone back to school for MBAs specifically for that purpose, to be able to think within the confines of business. And taking that premise that I laid earlier that security is a business function, it absolutely is a business function and unless you can think of it like that, then the fact that it's also a technical function will get in the way for you. Now the technology and the application of technology, most security people are pretty gifted at doing that, but the fact of the matter is that's a tool for the ultimate purpose, which is securing the business.
Mistakes to Avoid
FIELD: What mistakes do CISOs and their teams have to avoid when making these presentations?
SOUTH: The most important mistake to avoid is going to the board without having a full picture of the problem that you want to present to them. Now if you're in the midst of, let's say, a breach or a compromise or something, you may not have the full picture but you need to have as much of the relevant case as you can bring forward to them. But if you're going up there for normal discussions, you want to add a team member or you want to add a function that you need to perform or a new tool, then you need to bring that up as a full business case. Talk about the purpose; talk about the cost; talk about the impacts and being able to present that as an effective business case to the board. If you can't do that, then if you only go up and say I need more people, obviously the board doesn't have enough information to base a relevant decision. So you have to really avoid going up there without having a full picture to present to the board.