How to Talk to Senior Executives About Cybersecurity

May 20, 2020 | 7 min read | Security Posture

There will always be subjects that we need others to explain to us like we are five years old. Quantum Physics. Super PACs. The Flux Capacitor. For most board members and c-suite personnel, cybersecurity is one of those topics. This presents a difficult challenge for CISOs and CIOs: Your role requires that you communicate effectively with these stakeholders, yet they rarely speak the technical “language” of cybersecurity.

The importance of getting this right need not be explained. Einstein_Explaining_Cyber_Risk (1)Lulling the board and senior colleagues to sleep with talk of CVEs and encryption algorithms hurts your chances of getting buy-in for projects that are vital to keeping the organization safe. Furthermore, failing to clearly show how your team’s efforts impact the business will negatively affect perception of both you and your team.

But how do CISOs make clear and credible points about a topic that is intangible and largely unintelligible to their board? Here are 5 keys to approaching the challenge.

1. Align with business goals

When presenting to the board, every point you make should tie back to a topic board members care deeply about: risk. Start by providing an overview of key risk areas for the business that you are monitoring. Then, share a list of projects in each area that you are undertaking to decrease risk levels.

Be sure to explain the business impact of a breach and likelihood that there will be a breach in each area. This will allow you to focus the conversation on activities and projects that will result in the most substantial risk reduction.

2. Use Visualizations

If you’re struggling to get the attention of your senior colleagues and board members during a presentation, chances are you’re not using enough visuals. There are a number of ways you can explain cyber risk with visuals, but potentially the most powerful forms are heatmaps, trended over time.

One of our customers’ go-to board reporting visuals are the sunburst heat maps that show risk levels by asset groups with red, orange, yellow, and green signifiers. You can drill down into each asset group and get more contextual information about the factors driving risk in each area.

risk dasboard

Visuals can also be used to show your progress. Balbix has specialized visuals showing risk levels over time, but even simple bar charts or line graphs can be used to show the number of risk items that are being fixed over time.

3. Quantify

In order to make your points stick, you need to leave the board with something concrete. The best way to do this is with metrics. At the end of the day, numbers tell the story.

Tools like Balbix automate the quantification of risk scores for you across 100s of attack vectors and device types. Specific device, app, and user vulnerability metrics funnel up into risk scores for broader categories like intellectual property, customer data, or offices. An overall enterprise risk score encapsulates all of these metrics. If you don’t currently have a tool with these capabilities, share more qualitative metrics using a graph like the one below.

risk calculation table

For example, you might share that your intellectual property has a risk level of 15 (catastrophic impact and probable likelihood of breach) and your customer data has a risk level of 4 (significant impact but remote likelihood). Mitigating the risk to IP is a top priority for you. Suddenly, your request for additional funding to protect the organization’s IP makes a lot more sense to the board.

4. Show trends

A reliable tool or system of quantification for your security posture also helps your board better understand your team’s performance. “How are we doing on securing our IP?” the board might ask. “Well, we were actually able to cut our risk in half from 20 to 10 by patching 76 business critical assets” you could respond. “I estimate this has decreased our cyber risk by nearly 30%.” Even better if this is quantified financially. “I estimate that this has decreased our expected loss from breach by over $1.5 million.”

Staying on top of your cyber risk metrics

Being proactive about your cybersecurity posture is paramount to delivering board-level presentations that impress. Balbix provides a real-time view of your entire asset inventory, with continuous visibility into the most critical vulnerabilities affecting it. With a prioritized list of risk insights and exportable heatmaps, we’re here to make you look good during your next cyber risk conversation with c-suite colleagues and the board of directors.