Cybersecurity budget: CISO advice for getting your Board of Directors to take notice
Author: Carole TheriaultDate: Wednesday January 17
There are many CISOs and CSOs out there hiding their proverbial sweaty palms.
They’re stressed out, worried that it is just a matter of time before their network gets caught up in some embarrassing data debacle – perhaps it will be ransomware, or a targeted attack or an insider leak.
And they know they will then truly be in the hot seat.
Thing is, for many, it is a fingers-crossed game, because few responsible for cybersecurity are granted the right people, budget and processes.
Worse, many aren’t even given allocated resources or funds to test assess their system resiliency, meaning they have no idea what state their systems are really in.
Think about this, though. Don’t most organizational leaders try to maintain a healthy approach to risk, resilience and optimism in their day-to-day jobs? Could this be why so many blanch when disaster recovery, data protection and cybersecurity policies are discussed?
Information security is, after all, about being prepared for bad scenarios.
So we need to figure out to how to make Information Security much more engaging in the boardroom.
How to secure your stakeholder audience
Serious security incidents can deliver a nasty knuckle-sandwich to the shareholder, and it hits where it hurts them the most: the wallet.
CISOs and CSOs need to take advantage of this very real pain point to secure appropriate budget and resources.
So here are some recommended guidelines on how to improve the CISO relationship with stakeholders and the board.
Provide cyber training designed specifically for upper management. Do not assume they have strong cybersecurity skills. If this UK government password-sharing fiasco is anything to go by, senior staffers don’t always know their role in security the network. This is a great way to familiarize this team with security terminology and recommended policies.
Feature on the meeting agenda often. Ensure information security is regularly featured in the board and senior management quarterly review meetings. The only way cybersecurity will become a real top priority is for you to make it one.
Don’t try to wow stakeholders with your technical prowess. Keep their attention to the high-level issues to secure your budget requirements so you and your teams can implement the improvements. Only deep-dive into the tech weeds upon request, but when you do, make sure you know your stuff – or know how to get the answer quickly.
Don’t hide security incidents from stakeholders. Your job is to keep them informed of the actual state of information security, not a fictitious one. Without the facts, much more liability may fall onto your shoulders.
Update the board on latest risk levels based on trusted assessments. They need to know how exposed the organization is to IT threats, and the recommended mitigations to bring that exposure level down a peg or two.
Bring in third-party experts as appropriate. If you are lacking cybersecurity expertise in house, then bring in a trusted third party to perform assessments and provide recommendations.
Need some expert help?
Do you want some additional guidance on how to onboard your board when it comes to information security? We can help you secure the budget and resources you need to properly secure your network, making you a vastly less attractive attack target.