How to Talk Security to the Board of DirectorsCSO's Advice: 'Come to the Board with the Full Story'
First off, as a CISO or other senior security leader, know you have a limited amount of time on the board's agenda, so make sure you maximize those minutes, South says.
Especially if you're seeking board support for a new initiative, it's important to be clear, concise and complete.
"I think the most important aspect of securing board support is to come to the board with the full story," says South, who has made many board presentations in his career. "Understand not just what the relevant point is - the security issue you might want to be discussing - but also to have the mitigation efforts understood, to have cost factors understood and to be able to explain both short- and long-term impacts. In essence, just basically have the entire business story around the issue you want to present to the board."
Risks. Threats. Potential solutions. There are many factors to weigh when bringing security issues to the board, South says. Some of these topics may be new to board members, but never assume that board members won't already have their own opinions and questions on some of these matters.
"I can guarantee you when you talk to the board, even though some of them have accounting backgrounds, or some of them may have been in corporate governance for a long time, they can come up with some really good questions even on the technical aspects of security," South says. "They can ask some pretty pointed questions."
In an interview about how to present to the board, South discusses:
- The keys to securing board support for IT security initiatives;
- Presentation skills CISOs must develop for themselves and their teams;
- Mistakes they must avoid.
South is the Chief Security Officer for Heartland Payment Systems, where he establishes the security strategy and internal risk assessment programs. He ensures that Heartland is compliant with internal, industry and regulatory requirements including the Payment Card Industry Data Security Standard. He is Heartland's liaison with security professionals in the Financial Services Information Security and Analysis Center (FS-ISAC) and is a member of the Payments Processing Information Sharing Council (PPISC).
Prior to joining Heartland in September 2009, John held leadership roles in information security for Convergys (Intervoice) and Alcatel-Lucent. He spent several years in Belgium and Paris leading Alcatel's European information security operations.