Getting the Board on-board
"Engaging with the board: Five ways for Chief Information Security Officers to stand out" was an excellent advisory from PwC that stimulated me to think of supplementary advice, a set of corollaries for PwC's advice.
PwC tip #1: "Invest in your relationships."
PwC tip #1: "Invest in your relationships."
Hinson tip #1: "Don't focus and rely entirely on individual Board meeting/s".
Board members may usefully be contacted and briefed or lobbied outside of the meetings, ideally in person over an extended period. You might be introduced through a well-connected senior manager who understands and is sympathetic to the information risk and security objectives (implying they need to be on-board first). Failing that, friendly email, text messages and phone calls work. Better still is to establish a long-term business-like social relationship with the Directors and executives based on mutual respect and trust ... which means finding out about their concerns as much as expressing yours. And, by the way, it's worth asking for feedback and improvement suggestions. Are you pitching stuff appropriately? How could your interactions become more effective?
PwC tip #2: "Be thoughtful when preparing pre-read materials."
PwC tip #2: "Be thoughtful when preparing pre-read materials."
Hinson tip #2: "Include the Board and executive/senior management in your security awareness program."
The PwC advisory mentions that too few Board members are tech-savvy but I'd go further than that. IT/tech and cybersecurity awareness could be higher, yes, but even more important is senior management's broad understanding of information risk and security in general, especially in relation to its value and relevance to the organization's business objectives and to their governance and compliance responsibilities.
PwC suggests providing executive summaries. A good exec summary doesn't just give a succinct precis of a piece: it catches the reader's eye and intrigues, leading them to want to learn more about the topic at hand. There's an art to writing exec summaries, picking out the key points and expressing them appropriately in as few words as possible, in such a way that readers are willing to read the full version. Despite having been practicing since the 1980s, I still find this as challenging as writing advertisements and marketing copy.
PwC suggests providing executive summaries. A good exec summary doesn't just give a succinct precis of a piece: it catches the reader's eye and intrigues, leading them to want to learn more about the topic at hand. There's an art to writing exec summaries, picking out the key points and expressing them appropriately in as few words as possible, in such a way that readers are willing to read the full version. Despite having been practicing since the 1980s, I still find this as challenging as writing advertisements and marketing copy.
PwC tip #3: "Know your audience."
Hinson tip #3: "Research the Board."
Do your homework. Find out who sits on the Board, for starters, and what roles they play. Use Google and Linkedin to profile them, discovering their experience and interests. Experienced Board members often sit on several Boards, for instance: what else do they do? Ask senior colleagues about Board members and Board business, such as who might be sympathetic or resistant to information security, and what else might be on their plates at the moment. Although Board agendas and minutes tend to be confidential, you have a legitimate interest, potentially a need to know. Discreet inquiry of the right people is not unreasonable.
PwC tip #4: "Be strategic with your time."
Hinson tip #4: "Respect the Board's high level business perspective."
For best effect, all awareness and training materials and activities need to suit their intended audiences. The rather basic fare pitched at employees in general, or the more technical content aimed at specialists, is unlikely to resonate with management. Board members, in particular, have lots of significant issues on their plates already so the security awareness materials need to get straight to the point. Furthermore, their perspective is strategic - high level and broadly concerned about the organization as a whole. So 'the points' (the topics covered and points made) need to be relevant, to resonate with them.
We deliver a stream of awareness content aimed specifically at the management audience, including succinct, high-level, business-like items specifically written with senior/executive management and directors in mind.
Our portfolio of ~70 topics includes but goes well beyond cybersecurity, covering the organizational context and compliance aspects for instance. Governance, risk, control, effectiveness, efficiency, innovation and maturity are brought up frequently as threads or points of interest and concern in the materials.
PwC tip #5: "Focus on your message."
Hinson tip #5: "Focus on effective comms."
PwC's advice revolves around putting on a good show, a professional, polished performance in front of the Board. That wide-eyed bunny-in-the-headlights look is a classic symptom of someone who is new to the game. Fair enough PwC but there's more to it than appearance or first night nerves.
Don't forget that Board members are politically-savvy, senior, experienced business people - and human beings with all that entails. Don't be too intense, too pushy or disrespectful. You want/need them on your side. Inform, persuade and motivate them. Actively sense their reactions and responses. Exploit their hot buttons. Treat this as a social engineering challenge if you like. Don't forget that the way you communicate stuff is just as important as the content - not just the message but how and when you express it including the context or situation.
And the best way to get that right is to practice as often as you can, which takes us neatly back to the start. If attending Board meetings is just a fairly routine part of your ongoing productive dialog and trusted relationship with senior managers, you on to a winner.