Andrew Pritchett is the Chief Information Officer at Grant Thornton Australia, joining the firm in 2013. He has lead various teams through technology and cultural change with a strong emphasis on culture and technical excellence. Andrew has been awarded two patents one for a workflow management system and finance system for billing. Andrew believes in a strong emphasis of cyber security as a foundation for both technology teams and the broader business. Andrew loves working with people, helping them develop and all things technical.
Ever had to make a business case to the board?
Every technology leader has felt the struggle of getting their point across to a boardroom of executives. And every CISO knows that proving performance and unlocking cybersecurity budgets can sometimes feel like pulling teeth. You have all the facts and data on your side, so why can’t they see the big picture?
If you’re a CISO facing a communication challenge like this one, I can understand your pain. Most CISOs are never given any training on how to best present a business case to the board, or on how to meaningfully engage C-suite executives on cyber goals. As a result, many rely on endless slides of data points and charts to get their point across, which may not always be the most effective approach. In fact, showing less data may be more persuasive, provided you’vecurated the right data points in the first place.
The best way to demonstrate the results of your initiatives is to use storytelling to lay out your point of view and then back up that story with statistics. It sounds simple in theory, but in practice, making sure your stories stick is a bit of an art. And like any art form, it takes a lot of trial, error and experience to make it look easy.
What CISOs and tech leaders need to know about storytelling
A few years back, we had the opportunity to attend a storytelling training session at work. I jumped at the chance and found it incredibly useful. Every great story has a set of key characteristics, which essentially describe a ‘model’ for storytelling. And if you know anything about me, you know I love a good model!
Good stories have the ability to take something abstract and make it concrete. Let's see if we can break it down and look at the key components of the storytelling model:
Characters: Good stories have relatable characters. Give the characters names; people work better with names. For example, “Ian was our CFO, it was a busy time in December...” Humanising details like this gives the audience an emotional connection to Ian. What kind of a person is Ian, what are his goals, his challenges?
Timeline: Setting the timeline for a story helps it resonate. When did Ian’s story happen? Over how many days? People connect events to specific instances of time in their minds, helping them make sense of the narrative.
Plot:This is the actual story that you want to get across. The three-act play is a great model for creating a plot. Act one sets the stage and shows us Ian’s world when all is well. In Act two, Ian’s world is disrupted and he must face the crisis created by that disruption. Act three is about the twist in the story and how he resolved the crisis. Cap it off by referencing the moral of the story and voila! You have a compelling plot. This structure works for stories about Ian, entire teams, whole companies, even whole countries.
Moral: A good story has a memorable takeaway that serves as the moral of the story. What’s your story about? It should be clear to the listener what lesson they should take away. For example, “And that’s how Ian learned that it takes teamwork to defeat the cyber baddies”. This connects the listener to what they're hearing and what they’re listening for.
At the heart of it, stories are a series of facts and events wrapped in context and delivered with an emotional connection. For example, what did you infer about Ian and his story? Stories tell people about your character, they reveal in a powerful and intimate way who you are and what you believe in. So be courageous, and use storytelling as an opportunity to engage.
To illustrate my point, let me tell you a story about a Board member I knew. Way back in the dark, ancient times of 2016, a Board member put a challenge to me. She was really interested in training our people in cybersecurity and wanted to make sure everyone would participate. I suggested we could consider mandatory training, and running with that thought, she was interested in knowing what we could do to enforce it. I jokingly said we could lock out their accounts if they failed the training or skipped it. She thought it was a great idea! The first time we locked out the accounts, we quickly had a group of irate people at our door demanding to be unlocked immediately.
Imagine you were a highly paid consultant who suddenly couldn’t access email, log onto your computer or do anything with it. On top of that, you had to do the walk of shame to complete your training before you were allowed to get back to work. I doubt you would take that kind of treatment very kindly. The situation became quite tense, and I was under a lot of pressure to back down on the entire training programme.
One day I had Shane, a partner of the firm, tell me, “My wife got targeted by a phishing attack. I didn't even know what that was until I'd done the training. Luckily, I had done it, and it really saved us. I knew exactly what was going on”. Shane’s experience showed me that even if it was unpopular, cybersecurity training was essential, and protected us all from cyber risk.
I used that story when presenting to the board next time on our cyber platform. It was a great story about integrity, sticking to your principles and doing what you say you will do even when it’s hard.
Once you have your story, support it with data
The kind of story you share with the Board depends on what your intended outcomes are, and what data you have to support your narrative. You might be making a performance report, or maybe you’re making a business case for a bigger cybersecurity budget. So what kind of data points should you be using to support your story?
Let’s say you’re making a presentation on the business value of your cybersecurity initiatives. You might consider showing how thecost of cyber insurance is increasing, and how your information security capabilities are actually lowering your insurance costs. You could also ask your insurer for some estimations based on your current situation and show how your cyber initiatives have offset some of those costs.
Maybe you’re looking to show how your team is creating business value? Keep track of the marketing proposals your company is submitting and if the clients are demanding cyber compliance. Framing the size of the project in terms of revenue and profit will absolutely demonstrate the value of the cyber investment your firm is making. You may find that one big job could pay for the entire program.
Other cyber statistics you could use
Here are some other examples of data points you could use to support your case.
Phishing simulation attack metrics: At Grant Thornton Australia, we useMimecast for training and testing. Some of the metrics include clickthrough rates which can be measured over time for improvement.
External metrics: BitSight is an external platform that offers the most widely adopted Security Ratings. You can get your firm’s score against industry benchmarks, making it a fantastic way to demonstrate that what you're doing is working.
Ethical hacks: How many days (hopefully not minutes) did pen testers take topenetrate your network? What's the average? Show that data. Comparisons to prior tests and industry benchmarks can be especially useful.
Email metrics:As a Mimecast customer we have statistics on email volume and how many are attacks, this gives context to someone not in the technology job function of the volume.
Budget/spend vs benchmark: To give context to the board and the executive team, how much is your cyber spend compared to Gartner’s benchmarks? Are you investing enough? More is better (usually). This sort of comparison provides the context needed for people to own their investment approach.
What our Monthly Cyber Board Report looks like
Don’t you hate it when a cybersecurity article talks about all the what-if's and could-be's, without talking about specifics? Me too.
That’s why I thought it would be helpful to share the structure of our firm’s monthly Cyber Board Report (without the content of course). I try to keep the structure steady and update it monthly, whether I'm asked to or not.
Internal View – covers our own framework for scoring cyber security maturity.
Internal View – any updates on certificates from governing bodies.
Internal View – Cyber project roadmap for the coming 12 months with updates on execution.
Internal View – Any internal breaches that had an impact.
External View – Ethical hack results and items to be rectified.
External view – Bitsight score for our firm and a snapshot of competitors and benchmarks.
External View – Any significant breaches that the board should be aware of and any impact on our firm.
People View – Completion of cyber training statistics and regular phishing attach statistics.
Budget View – Statistics of % spend vs revenue, actual spend vs revenue, % spend vs Technology budget and Gartner benchmark comparisons.
Obviously, this is quite comprehensive, and you may not need to report on all these items every month. But it should give the CISOs out there a good idea of what could go into a typical report, and depending on what their firm’s cybersecurity goals are, can help them flesh out what an ideal monthly or quarterly report would look like.
Remember, the key is the story you tell. The Board needs to hear your vision for cybersecurity. The data is just there to support your narrative. So be selective about your data points, make sure you discuss outcomes, not just output, and spin an interesting story. All the best!