You've spent the past few months collecting information, discovering vulnerabilities and determining gaps in your physical and information security environment. It's like a full physical examination, including upper and lower GI series, blood tests, MRI and prostate check. Prior to this effort, the corporate executives found ignoring security issues to be a cost effective method of risk management, largely because you could provide no hard data on the losses they face.
If you can't identify breaches or attempted break-ins, the board has no incentive to buy safeguards, execute the protection strategies and organize properly to combat threats. But now it seems the stars are aligning to facilitate a security breakthrough. Your "exam" identifies threats and assesses vulnerabilities for the potential loss, modification, disclosure and destruction of mission-critical information; the results show where the attacks are coming from, their frequency and intensity. Meanwhile, record numbers of breach disclosures flood the media. Governments are pumping out new privacy legislation with amazing regularity that further establishes awareness for the cause. The time approaches for funding priorities for the next fiscal year. Surely security will be properly funded for the first time in corporate history?
Wrong! Regardless of what the data says, if you do not communicate in a way that speaks to the sensibilities of the corporate C's without political embarrassment, they won't get the message. So how can you craft the message in such a way that you can be sure it will penetrate to the appropriate level?
1. Seek out a trusted sponsor - a person who can serve as a conduit to getting your message heard. At one firm, I found the VP of Internal Audit to be a great ally. Internal Audit has been trying for years to get companies to comply with their findings; they follow a code like you. Your efforts will only help their cause. Align your information security pitch with their internal controls-oriented message, adding specifics relevant to the 10 domains of ISO17799 or CISSP Common Body of Knowledge.
2. Make sure the emperor does have clothes. Communicate proper issue awareness to the CIO on more than one occasion prior to the board-level presentation. Accompany this message with details of how previous investments have led to measurable wins.
3. Have a clear plan in hand. Articulate a well-defined two-year time line for risk remediation and optimization. Include funding requirements with capital amortized and resources defined at least at a rough level.
4. Know your professor; get an A. Query those who have had at least one audience with the C's as to their style and expectations. Learn of their personality types if possible (the Myers-Briggs test is one good way to approach this task).
5. A good idea before its time is not a good idea. Examine the current corporate climate for proper timing. Make sure that there is no current crisis that will preoccupy the executives' attention during the delivery. Nevertheless: Don't wait too long regardless of the timing or the window of opportunity will pass.
6. Surprises are great for birthdays but not for board meetings. Communicate to the leadership team that a read-ahead is coming. Provide it at least three to five days prior to the meeting. Make it clear and concise. Your trusted ally will help you determine what is acceptable in your environment. Hand-deliver and gain admin sign-off of receipt.
7. Test the waters. Deliver the message to a risk committee or other such group. Ask for immediate feedback on the effectiveness of the message.
8. Know your company's industry. Like a professor about to teach a class, know everything about your industry, including all surrounding environmental activities and trends within your vertical. Be prepared to discuss what your competitors are doing. Deliver the message as a market differentiator.
9. We are not alone. Ensure the C's know that this is a journey and that they are not alone in their efforts to provide proper protection strategies and safeguards over their mission-critical data.
10. Be confident. If you have followed these steps, you have reached the top with a well-honed message, regardless of the outcome.
Jeffrey Bardin is CISO at Hanover Insurance, a Fortune 1000 financial services firm