To experts, the cyber security business case is often clear as day — it can even be hard to understand why rational business leaders may say no to investment. Yet they do. Here’s how to get a yes.
Yesterday I was asked by a CISO (let’s call him Robert¹) why his Risk Committee pitch was not being heard. This was not an issue of content of slides: the topic was important and the case for change was clear, but the committee simply did not seem engaged at all. Yet he is far from alone in this problem, with research² indicating that some 75% of board members want to spend more on cyber than they do in practice.
This is a significant problem for security leaders, as a large part of leadership in cybersecurity is convincing stakeholders that supporting proposed a change is the right thing to do.
For Robert, the issue was not that he was losing the committee’s attention, but rather that he was never winning it in the first place.
He was not wasting their time. He had been told he would only had five minutes, and had prepared accordingly, so as he sat outside the boardroom waiting to be called in he was confident. At the previous meeting he had explained to them that some 80% of the company’s websites had never had security assessment, and so the organisation was taking a significant level of risk — with a future breach a near certainty. The committee had asked for this proposal and he was ready to go straight into his business case.
Robert jumped in with the plan - “further to my last report, we propose to invest $400k assessing the risks of our legacy websites. We have failed to take action in the past, and if we do not address this now we run a significant risk”. He went on to show that the risk exceeded the cost to fix by a factor of 10 times, they were ready to start, and the project could be delivered within 12 months.
It seemed cut and dried, he had the analysis in his report to back it up, and the funds were available to do it.
The committee should have been engaged but they were drifting to their phones and laptops. The result was uncertainty from committee members and a request for a further report in 3 months — during which time, Robert knew, the risk could easily materialise.
Robert was clear about the audience and the pitch, however because he did not renew their attention from the previous meeting the rest of his pitch fell on deaf ears. He forgot that in the time since they last heard from him the committee’s attention had been on many other matters, and he would need to remind them why this was important and deliver a structured case for his plan.
In his defence, there was no time for a full 30-minute presentation, and delivering a structured business case in a few short minutes seemed impossible.
To avoid this problem, we can take lessons not from technology but from speechwriting. Using the simple 10 step method below will not guarantee the result you need, however it can be delivered successfully in five minutes or less and will ensure that you have the attention of the room throughout.
The 10 steps to cyber security board pitch success
State simply the decision required so everyone is clear what they are being asked for. For Robert, this could be “I am requesting the committee’s support for a $4ook spend over 12 months to address legacy application risks”.
Obtain engagement by highlighting why the issue matters in as few words as possible, connecting with any previous discussions to refresh memories. For example “In my March report, the committee recognised that this was a critical and urgent is and commissioned me to draw up a plan to address it”.
Recognise the decision that the group has to make, whilst avoiding any appearance of blame. Whether right or wrong, past decisions were made for a reason and there is usually no need to pick them apart or challenge them. “Recent incidents in the industry have shown that this posed a much greater risk than we knew when these systems were introduced”.
State clearly what the actual problem is. “We have 420 legacy websites of which only 31 have been assessed. Of those assessed 27 had critical issues — we estimate that approximately 90% of the remaining sites will have issues we will need to address quickly”.
This is business impact, not technical impact. If you have done a quantitative analysis this is where to raise it. If you have not, a qualitative comment will often suffice. “Many of these sites hold confidential data on our customers. If this is breached we will lose their trust and suffer significant costs, fines and penalties”.
Provide the answer. This is what Robert jumped to directly — he spent all his time here, which is why he was not heard. We are only seven sentences into our pitch now (count them!), but those seven sentences really matter. Now we are all on the same page and ready to hear the proposal. “We will assess 35 sites a month on a risk prioritised basis over the next 12 months to cover the remaining 389 sites before the end of the year. As soon as we become aware of issues we will commence remediation, and we will report back to the committee quarterly on progress”.
Acknowledge any expected challenges in delivery. If you have done your research, you will understand the interests of those around the table and be able to instinctively spot the questions they are likely to raise. Even if not, major concerns are often easy to see by looking at it through the eyes of stakeholders. Usually these are political, resource related, or confidence related. “We know this will take some time for the application support team, and they are under pressure right now due to major system upgrades.”
Address the obstacle head on. “We have spoken to the Application Support Manager and IT Director, and confirmed that we can schedule work away from the end of the month when they are busiest”.
Note — you may need to repeat steps 7 and 8 if there are a couple of issues you know will be raised. If there are more than two, create an appendix and refer to it: “We have socialised the plan widely and have addressed the key issues as shown in Appendix 1. I will be happy to discuss this further with you if there are any concerns”.
Social proof is not a wild-eyed theory. Most rational human beings want to know that regardless of your internal analysis, there is some external frame of reference. If you don’t address this directly, you may be asked to pause to get an external view. It’s not personal. The good news is that it can be addressed quickly: “Our competitor XYZ Plc implemented a similar approach over three years — however given their major breach last month, a year into their program, we believe we should move faster”.
This means going back to the beginning and the original request. “I would like to request the committee’s approval for the program as proposed”.
As you will see, this is quick to do. In our example it requires only 13 sentences to deliver — sometimes less. It takes the audience with you as an ally, rather than appearing to apportion blame or responsibility for the status quo. It uses your prepared presentation for support, but does not assume pre-reading or duplicate it’s content. It has a clear beginning, middle and end: saying what you will cover up front to avoid surprises or lack of clarity about the ask, covering it concisely in business terms and addressing any areas of contention, then reminding the audience what you need from them.
And, yes, you can do this in less than five minutes. For anything. Have a try.
Download the high-resolution infographic and PDF version here: https://my.visme.co/projects/ojqq6mm4-10-steps-to-winning-support-for-your-cyber-security-project
About the author
Matt Palmer is a recognised technology and cyber risk leader in global financial services. He has led security and IT functions across banking, insurance and capital markets — often through change and M&A. He is director of boutique cyber risk advisory firm Cyberclaria and a board advisor to several fintech startups. An accountant and technologist, Matt has presented at many international cyber security conferences and was awarded Security Leader of the Year in 2018.
 Name changed for confidentiality.
 Economist Intelligence Unit, 2018 https://perspectives.eiu.com/sites/default/files/EIU_WTW%20-%20How%20boards%20can%20lead%20the%20cyber-resilient%20organisation.pdf