ARN

CeBIT 2014: Top 5 tricks when pitching security

Five tricks when pitching security to the board

CeBIT's Cybersecurity Conference panel - CyberThreats: No board regret - saw a variety of experts discussing the best way to bring what is an unsexy topic to the board.

As part of the CeBit Cybersecurity Conference, Mark Tims, partner at KPMG, Greg Baster, CIO at GPT, Troy Braban CISO at Australia Post, and David Fisher, head of technology risk and information security at ANZ, all shared their thoughts on how to best bring security issues in front of the board. Here are five of their best tips.

  1. Keep it simple, stupid: Board members aren't always going to be as tech savvy as you are. Try to speak their language - that means no acronyms, or arcane technical concepts. But by the same token, don't oversimplify and play down any issues.
  2. Regular meetings: Cybersecurity is now so vital, staff members should really have regular meetings scheduled with the board to keep them up to date. This should be either quarterly, or, depending on the industry, monthly. Make sure your policy is proactive, and not just about minimal compliance.
  3. Commercial balance: If you can't reach the board on a purely technical level, produce a business case. Cost benefit analyses to any proposal can help them way up the risk of investment vs the risk of data breaches. Money talks.
  4. Openness and transparency: You have to be completely upfront with the board - don't hold back information because you think they might not understand it. Keep to the facts and make no assumptions. You will be the one that suffers if you hold back information. This also assists the board in making the most fair and balanced decision. If you've made your case as best you can and the board still doesn't respond, at least its on the record.
  5. Engage internal and external comms: You need to get all your managers at every level of the company on board. There is a delicate balance here - if you send out too many routine messages, they end up being skipped. Send out too few updates and security can become lax. It may also be key to reach out to end user customers too.