Join Mandy Huth for an in-depth discussion in this video Talking to the C-suite, part of Security Matters (To Everyone).
(upbeat music) - Your board meeting is tomorrow morning. Let's talk about how you can effectively talk to your C Suite about your security program. First, let's talk about objectives. Our objective as security professionals is to educate and prepare our board members to be able to talk about security to our stakeholders. Before you walk into that meeting, you need to know what your board cares about.
You need to live in their world and understand their objectives so you can talk to them about that. Boards wanna know that the tools that they've purchased are working to make their business more effective and less risky. Let's be clear: that means you are not talking about antivirus, you are not talking about encryption, and you are certainly not talking about network gear to them. So what does your board wanna know about? There are three things we wanna tell them about. First, your board wants to know about the brand and our reputation.
They have to be able to talk to customers about how we're securing the things that they're purchasing. Customers needs to feel assured that the brand that they're purchasing is secure. Second, the board needs to know about compliance. The board needs to be able to talk to regulators and demonstrate with assurance that they're doing the things required by law. The third thing the board wants to know about is how we're reducing risk. Talk to the board about the risk-based decisions you've made, how you arrived at the decision, and how you're balancing the business against the risk.
Most importantly, as you walk into that room, know that you're a partner. Be a business enabler. How are you making your security program an enabler to the business to make it more efficient? There are three things you can show the board that will help them understand. First, show them threat traffic, and show them how your security program is avoiding that traffic. Second, report any incidents that have happened since the last time you met with them. The board needs to understand any threats that may be appearing in front of the business.
Third, highlight the strengths and the weaknesses of your security program. Talk about the gaps in your capability and what you need from the board to overcome those. Most importantly, do not, under any circumstances, use fear, uncertainty, and doubt. It does no good to scare your board. Walk into your meeting, talk about the facts, be a partner, enable your business, and you'll do just fine. (applause)