Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

Presenting IT and OT Cybersecurity Strategy to Executives/Board of Directors

Read More

Categories Arrow

All Posts

Presenting IT and OT Cybersecurity Strategy to Executives/Board of Directors

This blog post will be in continuation to the ninth edition of the Securing Things newsletter - Digital Transformation & Cybersecurity Premier (an introduction) and 11th edition - IT & OT/ICS Cybersecurity Strategy that talks about drafting an integrated IT and OT/ICS Cybersecurity strategy or independent ones. In case you've missed them—I highly recommend reading them first before reading this edition of newsletter.

Let's get started. Are you ready?

Now that you've laid out high level steps of #digitaltransformation and #cybersecurity #strategy journey and then have finished drafting/developing the #cybersecurity strategy (phase 1 in strategy lifecycle), the next step is preparing and presenting the cybersecurity strategy to business executives and or to the board of directors to get their buy-in and approval for funding, executive commitment and resources required to executive the strategy (which is phase 2 in the strategy cycle).

This is probably one of the most daunting and difficult tasks for many, especially for people with technical skills and no management background or business skills, and many struggle to get the message across and don't get the right level of support or funding from business leaders/executives. One would need to remove their technical hats and put on their business hats, to simplify the messaging around cyber risks equation, focus on risks and consequences that their organization is potentially exposed to.

On daily basis, the business executives and board of directors are ensuring that they are taking the right decisions to move the business forward by managing varying types of risks (financial, reputational, legal, environmental, ESG, operational, etc.) that their business operations need addressing, so that their investments decisions are prioritized.

Before the Presentation

Research the executive audience you'll be presenting to and do some research on the executive attendees (what they like to discuss/interests, persona types etc.). If you personally know them you may have an advantage (but in some cases, it's very likely that you don't interact them on daily basis), if not closely, do ask people around that have given presentations and take into account their feedback on what works and what may not work.

Presentation (Content Preparation-to-Delivery)

The Storyline

Make it sound like you are taking them on a short, precise, quick journey where you are projecting the current state of affairs, what's your recommended target state looks like and what would it take the business to achieve the target state - i.e. a managed risk state.

Presentation Content

Below highlights an example Agenda:

Agenda/Presentation Title - choose a catchy agenda title that could draw attention (that something important is coming) - and may resonate with business vision and or business priority goals. e.g.:

  • Global Cybersecurity Strategy (2023-2026) or
  • IT and OT/ICS Cybersecurity Strategy & Program Roadmap - A structured risk reduction approach.

Note: choose your own environment and best scenario specific titles.

No alt text provided for this image
Example STL IT & OT Cybersecurity Strategy Presentation Agenda

(Note:

  • Brand name/products/services could be replaced by your specific business elements e.g. X food & X beverages brand or product names / servicesanything that's business specific.
  • depending upon the executive leadership style, some would prefer the asks i.e. item 4 in above picture to be put in front earlier in the presentation, before you talk about 2 and 3. Therefore, adjust accordingly).

Ensure you understand the current business climate and situation and if it's the right time to ask in the first place. Budget submission period is perfect, but you need to spread the awareness among peers and other parts of business well in advance to get a buy-in in time for the budget.

Be as specific and precise as possible on the asks from the executives (e.g., resource requirements, staff involvement, approvals and funding etc.).

Taking Inspiration from Different Experts from the Field

It's great to learn from experts that share some wonderful techniques on how they are moving ahead with their plans, what hurdles they face and how they've overcome them including ideas on what to present and what not to cover.

Below is a list of few great video presentations for reference:

  1. A case study master class on Reporting Cyber Risk to the Board by Omar Khwaja - YouTube (by Omar Khawaja)
  2. A Practical Approach to Presenting to the Board of Directors for CIOs #GartnerSYM - (by Tina Nunno)
  3. How to Present Cyber Security Risk to Senior Leadership | SANS Webcast - YouTube (by James Tarala)
  4. Briefing the Board: Lessons Learned from CISOs and Directors - YouTube (by Alan Paller, John P.)
  5. Risk Management & Executive Communication with Patrick Miller (by Patrick C Miller)
  6. Cybersecurity Leadership - YouTube (112 videos by #sansinstitute #cybersecurityleadership series - play list) (many presenters to thank for).

 

Presentation Delivery:

You'll likely only have 30 mins to an hour (if you are lucky) to get your message across and get your messaging stick with executives. Prepare. Do some dry runs with colleagues/team. Modify and adjust.

Be ready to request for another time and or shorten your presentation as its far too often that something urgent will come at last minute. Let's say you should have 15 mins of speech in mind in case the original timeslots shorten up.

Tips: Checkout the above example videos to get insightful tips and approaches.

Takeaways:

Executives and board care about (or tasked to do so) the following few things:

  • risks (regulatory, security, brand/reputation, financial, innovation or lack thereof),
  • revenue / mission and
  • costs (do more with less)
  • customers and shareholders.

A secure, standardized and resilient business operations helps drive all these things towards positive direction and the presentation should touch upon the above points to emphasis benefits across these points.

Good luck for your next IT and OT (or one of them) Cybersecurity Strategy and Roadmap presentation internally or to your clients/customers.

In case it's time for presenting your 1st IT & OT Cybersecurity Strategy or time for an update/re-write - feel free to reach out to me via DM or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow @securingthings. It’s a great day to start “Securing Things”. 
Muhammad Yousuf Faisal
Muhammad Yousuf Faisal
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has more than two decades of industry experience in technology and cybersecurity, helping organization across multiple industry sectors worldwide, secure their digital transformation journey. As founder of “Securing Things," currently offering Cybersecurity Advisory and Consulting services, training, and solutions, both IT & OT/ICS/IOT environments. He holds a B.E. Electrical and an Executive MBA degree.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    How to Secure Machine Learning Data

    Data security is paramount in machine learning, where knowledge drives innovation and decision-making. Th...
    Zac Amos Mar 12, 2024 11:10:47 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.