People & TechnologyPresenting security and risk to board members

Executive Summary

Your board's time—and attention—is limited. But the security of your company, its reputation, and its financial health can all depend on how well your board members understand the business risks you face, and how you plan to mitigate them. Keep it short, and make it matter. This article looks at IT and security budgets and explains how to balance against a risk security profile.

Executive Summary

Your board's time—and attention—is limited. But the security of your company, its reputation, and its financial health can all depend on how well your board members understand the business risks you face, and how you plan to mitigate them. Keep it short, and make it matter. This article looks at IT and security budgets and explains how to balance against a risk security profile.

It’s that time. You have to report on the state of enterprise security to your board. The presentation is critical: the security of your company, its reputation, and its financial health all depend on you. Your board members need to understand the business risks you face, and how you plan to mitigate them. But their time—and attention—is limited. Keep it short, and make it matter.

Follow these six steps to achieve your goals.

1. Cyber threats are real—stick to the facts

They’ve heard the numbers. As much as $575 billion is lost to cyber crime annually. Data breaches can cost more than $400 million. Information like this falls on deaf ears. Board members are numb. But they need to understand the general risks of doing business online—which are endemic—versus the threats that face your industry, and your business specifically. If your organization’s largest risk is related to a lack of controls or inadequate processes, they need to know that. Most importantly, they need to know what you are doing about it. Don’t go to the board with problems for which you haven’t figured out solutions.

If you’re not getting the support you need, think of your own reputation and career.

Tell a compelling story about a security breach, preferably in your industry. Give examples from your own company. Identify critical information assets—intellectual property, sensitive customer data—and paint a picture of what would happen and what it would cost if they were compromised.

Related

3 ways your apps make you vulnerable

5 min. read

2. Provide metrics that convince

If you have gaps in security control that you are struggling to get resources to fix, give them evidence proving that you are continuously under attack and your networks are constantly probed. Make it clear that sooner or later, the bad guys will succeed. Educate them. Surprise them.

  • 73 percent of companies suffered at least one security breach in the past year
  • About a third of employees targeted for phishing will open fraudulent emails
  • More than one in 10 take the bait—and it only takes one
  • Less than two minutes elapse from the hacker hitting send to your systems being compromised
  • Hackers are inside your organization, on average, for at least four months before they’re discovered
  • Web apps are the number one entry point for breaches

3. Get their support in adopting a culture of security

Human error accounts for 58 percent of cyber breaches. A secure business is a business in which everyone is educated about threats and does their part to reduce risk. This starts with rigorous—and repeated—training, and perhaps even commitment to a standard like ISO 27001.

Related

9 reasons why customers are deserting your apps

5 min. read

4. Convince them they need incident response help

Encourage the board to face facts: all organizations today face the very real possibility they will be breached. How much damage you suffer depends on how quickly and effectively you respond, so why not get prepared? Most companies don’t have the skills for effective incident response (IR). You need technical, forensic, legal, and public relations support to get through the trauma. Your best bet: a third party with specialized expertise. A good IR firm will have your back.

5. Discuss cyber insurance

Cyber insurance is integral to your security strategy. Yet only 19 percent of companies have cyber insurance. And most are grossly underinsured, with only 12 percent of the total costs of a typical breach covered. Cyber insurance is the fastest-growing insurance in the world, projected to increase 300 percent from $2.5 billion today in annual premiums by 2020. Do the math for your board. Calculate how much your business can absorb from a breach without financial catastrophe. Pick a level of risk that you are comfortable with, and insure the rest.

73%

Seventy-three percent of companies suffered at least one security breach in the past year.

6. Get them to champion those efforts for which you didn’t get budget approval

You have done your homework and already secured funds for some of your efforts. If you have risk areas that need addressing that you don’t have budget to address, board members need to know this and either accept the risk or champion a solution. There’s no better way to get something accomplished than by saying that “the board” requested it get done.

In conclusion

As you go through this exercise, be a little selfish. If you’re not getting the support you need to defend against existential threats, think of your own reputation and career. If your board doesn’t get it, it might be time for you to consider your options.

It’s that important.

Ryan Kearny was appointed the Executive Vice President of Product Development and Chief Technology Officer at F5 Networks in October 2016. He is responsible for overseeing the company’s technology roadmap and leading F5’s engineering team. Kearny joined the company in 1998 and was named Vice President of Product Development in May 2004 and Senior Vice President of Product Development in January 2012. He holds a B.S. in Electrical Engineering from the University of Washington.

You Might Also Like

Cloud · 10 min. read

Infographic: 6 steps to prepare your architecture for the cloud

Lift and shift is simple to say, not to do. It’s going to be messy. If you’re considering moving to the cloud, you’re right to be concerned about the vast changes that will be required as you make your transition. The good news is that if you’re like most companies, you’ve done this before. Many times. About every three to five years you overhaul your core architectures. You adjust how you deliver applications. You strive to increase performance, enhance security, and reduce costs. The bad news is that with cloud, things will be even more complicated. You might not have control over services. You may not be able to hard code connections or do things the old way.

Business Strategy · 5 min. read

Infographic: How to prepare your company for the new European Union privacy laws

The GDPR, the EU’s new privacy rules, are going into effect by May 2018. The GDPR splits companies into two types: those that process data and those that control it. If you are established in the EU or you offer goods or services to companies or individuals in the EU, you are responsible for complying with the law or potentially facing stiff penalties. The law applies to any personal information (PI) and in some instances expands the legal definition of PI from previous rules. For example, while Internet addresses were not explicitly considered PI in the previous EU directive, they are now. Here’s how to make sure you’re ready.