Nick Lennon is the ANZ Country Manager at Mimecast, having joined in 2007 as a Channel Sales manager. As a leader in management excellence, Nick has personally grown the local team from five members to over 100 since Mimecast’s introduction to the ANZ market. Nick maintains a passionate focus on achieving rapid local business growth, understanding evolving challenges across all verticals and ensuring customers get the best service driven by Mimecast’s strong culture.
Reporting cybersecurity to non-cyber executives: a CISOs guide
One of the biggest challenges CISOs face is getting their point across to their fellow C-suite and the board in a way that resonates with them. There are a lot of competing priorities to juggle, and CISOs need to be skilled at making a strong business case for their recommendations if they want to put them into action.
While awareness of cybersecurity is growing among senior decision-makers and stakeholders, it’s not uncommon to encounter some reluctance from non-technical leaders when proposing new cybersecurity initiatives or practices. But Board members’ and executives’ involvement in cybersecurity goals is crucial. Risk management and security affects all aspects of the company and has serious consequences for business operations and the company’s bottom line.
That’s why we’ve put together this short guide on how to frame your discussions with boards and executives so they can see the value of your perspective.
Frame your KPIs in a business context
Technical Key Performance Indicators are a great way to demonstrate your team’s performance, but context is everything. KPIs themselves aren’t the goal: it’s what they represent and how they impact the company is what matters. Use them to illustrate your narrative and present your case.
Organisations have multiple stakeholders, all of whom have wildly varying levels of cybersecurity awareness and interest. Cybersecurity performance can be a difficult and complex topic to grasp, so frame your achievements in terms of how they impact your organisation’s business and risk mitigation strategies. You need to give not just the “what” but also the “why” when reporting to the Board.
Compare your organisation with its peers
Boards of Directors review their position in their market every year. The security data you provide can enhance their insight into how well they compare with their peers, which would also influence their annual financial planning. By using similar companies as a benchmark, you can demonstrate how well your cybersecurity initiatives are doing compared to the industry as a whole. There are security ratings platforms (like BitSight or SecurityScorecard) you can use that collect publicly available information, and their data can help the board visualise where they stand in terms of the current state of the market when it comes to cybersecurity. Some of these dashboards can be quite detailed, which enables you to demonstrate your team’s success and bolster the Board’s confidence in your abilities as a CISO. Even if you’re not comparing your organisation to another, just a historical record of your KPIs year on year can provide valuable insight to the Board, especially when planning (and budgeting) for future projects.
Discuss the impact of cybersecurity on your organisation’s risk level
You need to have your finger on the pulse of your organisation’s risk tolerance levels. Using these measurements allow you to make cybersecurity a part of your organisation’s overall risk management strategy. That means you may need to evaluate the historical impact individual cyber threats have had on your company’s bottom line. By looking at the financial impact of successful attacks, you can conduct a qualitative risk analysis and triage the most pressing risks in terms of financial impact. This will help you explain where risk is concentrated and unlock the budget to address them. Leveraging threat intelligence for this purpose can help you visualise your cyber risk posture and show where improvements can be made.
It would be great if CISOs could directly show the ROI their initiatives generate, but the link between cybersecurity and ROI is rarely so clear cut. That’s why presenting your results in terms of risk management can be a powerful way to make your case. It is vital the board understands the value of the work your team does and linking their performance to tangible business impact is one of the best ways to get senior executives on board with your plans.