This blog post will be in continuation to the ninth edition of the Securing Things newsletter - Digital Transformation & Cybersecurity Premier (an introduction) and 11th edition - IT & OT/ICS Cybersecurity Strategy that talks about drafting an integrated IT and OT/ICS Cybersecurity strategy or independent ones. In case you've missed them—I highly recommend reading them first before reading this edition of newsletter.
Let's get started. Are you ready?
Now that you've laid out high level steps of #digitaltransformation and #cybersecurity #strategy journey and then have finished drafting/developing the #cybersecurity strategy (phase 1 in strategy lifecycle), the next step is preparing and presenting the cybersecurity strategy to business executives and or to the board of directors to get their buy-in and approval for funding, executive commitment and resources required to executive the strategy (which is phase 2 in the strategy cycle).
This is probably one of the most daunting and difficult tasks for many, especially for people with technical skills and no management background or business skills, and many struggle to get the message across and don't get the right level of support or funding from business leaders/executives. One would need to remove their technical hats and put on their business hats, to simplify the messaging around cyber risks equation, focus on risks and consequences that their organization is potentially exposed to.
On daily basis, the business executives and board of directors are ensuring that they are taking the right decisions to move the business forward by managing varying types of risks (financial, reputational, legal, environmental, ESG, operational, etc.) that their business operations need addressing, so that their investments decisions are prioritized.
Before the Presentation
Research the executive audience you'll be presenting to and do some research on the executive attendees (what they like to discuss/interests, persona types etc.). If you personally know them you may have an advantage (but in some cases, it's very likely that you don't interact them on daily basis), if not closely, do ask people around that have given presentations and take into account their feedback on what works and what may not work.
Presentation (Content Preparation-to-Delivery)
Make it sound like you are taking them on a short, precise, quick journey where you are projecting the current state of affairs, what's your recommended target state looks like and what would it take the business to achieve the target state - i.e. a managed risk state.
Below highlights an example Agenda:
Agenda/Presentation Title - choose a catchy agenda title that could draw attention (that something important is coming) - and may resonate with business vision and or business priority goals. e.g.:
- Global Cybersecurity Strategy (2023-2026) or
- IT and OT/ICS Cybersecurity Strategy & Program Roadmap - A structured risk reduction approach.
Note: choose your own environment and best scenario specific titles.
- Brand name/products/services could be replaced by your specific business elements e.g. X food & X beverages brand or product names / services—anything that's business specific.
- depending upon the executive leadership style, some would prefer the asks i.e. item 4 in above picture to be put in front earlier in the presentation, before you talk about 2 and 3. Therefore, adjust accordingly).
Ensure you understand the current business climate and situation and if it's the right time to ask in the first place. Budget submission period is perfect, but you need to spread the awareness among peers and other parts of business well in advance to get a buy-in in time for the budget.
Be as specific and precise as possible on the asks from the executives (e.g., resource requirements, staff involvement, approvals and funding etc.).
Taking Inspiration from Different Experts from the Field
It's great to learn from experts that share some wonderful techniques on how they are moving ahead with their plans, what hurdles they face and how they've overcome them including ideas on what to present and what not to cover.
Below is a list of few great video presentations for reference:
- A case study master class on Reporting Cyber Risk to the Board by Omar Khwaja - YouTube (by Omar Khawaja)
- A Practical Approach to Presenting to the Board of Directors for CIOs #GartnerSYM - (by Tina Nunno)
- How to Present Cyber Security Risk to Senior Leadership | SANS Webcast - YouTube (by James Tarala)
- Briefing the Board: Lessons Learned from CISOs and Directors - YouTube (by Alan Paller, John P.)
- Risk Management & Executive Communication with Patrick Miller (by Patrick C Miller)
- Cybersecurity Leadership - YouTube (112 videos by #sansinstitute #cybersecurityleadership series - play list) (many presenters to thank for).
You'll likely only have 30 mins to an hour (if you are lucky) to get your message across and get your messaging stick with executives. Prepare. Do some dry runs with colleagues/team. Modify and adjust.
Be ready to request for another time and or shorten your presentation as its far too often that something urgent will come at last minute. Let's say you should have 15 mins of speech in mind in case the original timeslots shorten up.
Tips: Checkout the above example videos to get insightful tips and approaches.
Executives and board care about (or tasked to do so) the following few things:
- risks (regulatory, security, brand/reputation, financial, innovation or lack thereof),
- revenue / mission and
- costs (do more with less)
- customers and shareholders.
A secure, standardized and resilient business operations helps drive all these things towards positive direction and the presentation should touch upon the above points to emphasis benefits across these points.
Good luck for your next IT and OT (or one of them) Cybersecurity Strategy and Roadmap presentation internally or to your clients/customers.
In case it's time for presenting your 1st IT & OT Cybersecurity Strategy or time for an update/re-write - feel free to reach out to me via DM or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.
Follow @securingthings. It’s a great day to start “Securing Things”.