How to successfully pitch cyber security projects to the board

To experts, the cyber security business case is often clear as day — it can even be hard to understand why rational business leaders may say no to investment. Yet they do. Here’s how to get a yes.

Image for post
Image for post
Winning board support for cyber security projects is a critical challenge for security leaders and Chief Information Security Officers. Photo by Daniela Mota on Unsplash

Yesterday I was asked by a CISO (let’s call him Robert¹) why his Risk Committee pitch was not being heard. This was not an issue of content of slides: the topic was important and the case for change was clear, but the committee simply did not seem engaged at all. Yet he is far from alone in this problem, with research² indicating that some 75% of board members want to spend more on cyber than they do in practice.

This is a significant problem for security leaders, as a large part of leadership in cybersecurity is convincing stakeholders that supporting proposed a change is the right thing to do.

For Robert, the issue was not that he was losing the committee’s attention, but rather that he was never winning it in the first place.

He was not wasting their time. He had been told he would only had five minutes, and had prepared accordingly, so as he sat outside the boardroom waiting to be called in he was confident. At the previous meeting he had explained to them that some 80% of the company’s websites had never had security assessment, and so the organisation was taking a significant level of risk — with a future breach a near certainty. The committee had asked for this proposal and he was ready to go straight into his business case.

Robert jumped in with the plan - “further to my last report, we propose to invest $400k assessing the risks of our legacy websites. We have failed to take action in the past, and if we do not address this now we run a significant risk”. He went on to show that the risk exceeded the cost to fix by a factor of 10 times, they were ready to start, and the project could be delivered within 12 months.

It seemed cut and dried, he had the analysis in his report to back it up, and the funds were available to do it.

The committee should have been engaged but they were drifting to their phones and laptops. The result was uncertainty from committee members and a request for a further report in 3 months — during which time, Robert knew, the risk could easily materialise.

Robert was clear about the audience and the pitch, however because he did not renew their attention from the previous meeting the rest of his pitch fell on deaf ears. He forgot that in the time since they last heard from him the committee’s attention had been on many other matters, and he would need to remind them why this was important and deliver a structured case for his plan.

In his defence, there was no time for a full 30-minute presentation, and delivering a structured business case in a few short minutes seemed impossible.

It’s not.

To avoid this problem, we can take lessons not from technology but from speechwriting. Using the simple 10 step method below will not guarantee the result you need, however it can be delivered successfully in five minutes or less and will ensure that you have the attention of the room throughout.

The 10 steps to cyber security board pitch success

  1. Purpose
    State simply the decision required so everyone is clear what they are being asked for. For Robert, this could be “I am requesting the committee’s support for a $4ook spend over 12 months to address legacy application risks”.

As you will see, this is quick to do. In our example it requires only 13 sentences to deliver — sometimes less. It takes the audience with you as an ally, rather than appearing to apportion blame or responsibility for the status quo. It uses your prepared presentation for support, but does not assume pre-reading or duplicate it’s content. It has a clear beginning, middle and end: saying what you will cover up front to avoid surprises or lack of clarity about the ask, covering it concisely in business terms and addressing any areas of contention, then reminding the audience what you need from them.

And, yes, you can do this in less than five minutes. For anything. Have a try.

10 steps to effective cybersecurity board presentations — Infographic
10 steps to effective cybersecurity board presentations — Infographic

Download the high-resolution infographic and PDF version here:

About the author

Matt Palmer is a recognised technology and cyber risk leader in global financial services. He has led security and IT functions across banking, insurance and capital markets — often through change and M&A. He is director of boutique cyber risk advisory firm Cyberclaria and a board advisor to several fintech startups. An accountant and technologist, Matt has presented at many international cyber security conferences and was awarded Security Leader of the Year in 2018.

Connect with Matt on Medium, Linkedin and Twitter, or sign up for further insights from Matt here.

Written by

Making change happen with technology, people and data. CISO | CIO | NED. Say hi at

Sign up for Digital Director

By Cyber Strategy & Leadership

Cyber Strategy and Leadership for board members and business executives Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Cyber Strategy & Leadership is published to support business leaders from board level to operational management with the challenge of leading and directing enterprise cyber security. Our mission is to simplify, clarify, and inform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store