To experts, the business case for cyber security change programmes can seem clear as day — it can be hard to understand why rational business leaders may say no to investment. Yet they do.
Here’s how to get a yes.
Winning board support for cyber security projects is a critical challenge for security leaders and Chief Information Security Officers.
Recently I was asked by a CISO (let’s call him Robert) why his Risk Committee pitch was not being heard. This was not an issue of slide content: the topic was important and the case for change was clear, but the committee simply did not seem engaged at all.
He is far from alone in this problem, with research indicating that some 75% of board members want to spend more on cyber than they do in practice.
This is a significant problem for security leaders, as a large part of leadership in cybersecurity is convincing stakeholders that supporting proposed a change is the right thing to do.
For Robert, the issue was not that he was losing the committee’s attention, but rather that he was never winning it in the first place.
He was not wasting their time. He had been told he would only had five minutes, and had prepared accordingly, so as he sat outside the boardroom waiting to be called in he was confident. At the previous meeting he had explained to them that some 80% of the company’s externally facing applications had never had security assessment, and so the organisation was taking a significant level of risk — with a future breach a near certainty. The committee had asked for his proposal to fix this, and he was ready to go straight in.
Robert jumped in with the plan – “further to my last report, we propose to invest $400k assessing the risks of our legacy websites. We have failed to take action in the past, and if we do not address this now we run a significant risk”. He went on to show that the risk exceeded the cost to fix by a factor of 10 times, that they were ready to start, and that the project could be delivered within 12 months.
It seemed cut and dried: he had the analysis in his report to back it up, and the funds were available to do it.
The committee should have been engaged but they were drifting to their phones and laptops. The result was uncertainty from committee members and a request for a further report in 3 months — during which time, Robert knew, the risk could easily materialise into a major cyber security incident.
Robert was clear about the audience and the pitch, however because he did not renew their attention from the previous meeting the rest of his pitch fell on deaf ears. He forgot that in the time since they last heard from him the committee’s attention had been on many other matters, and he would need to remind them why this was important and deliver a structured case for his plan.
In his defence, there was no time for a full 30-minute presentation, and delivering a structured business case in a few short minutes seemed impossible.
It’s not.
By using the simple 10 step method below, you can deliver an effective pitch and ensure that you have the attention of the room throughout.