Cybersecurity is a complex, quickly evolving field, and this puts CISOs in a difficult position. You need to make new investments regularly to maintain a strong security posture, but you can’t keep running to the board over and over again to seek more resources.
The reality is that a Chief Information Security Officer (CISO) must think carefully about how to present plans for new cybersecurity investments to your board. After all, the board has many other priorities competing for its blessing — so while board directors might want to support cybersecurity in theory, getting them to support your investment plans in practice can be hard. Success requires a deft, thoughtful approach.
For example, one might assume that the board will want to see extensive data about the need for new IT investments or a precise cybersecurity ROI analysis. That information does have its place, but that place is in an appendix to your presentation. Board directors typically hail from operational, finance, or strategic backgrounds; foremost, they want to understand how your proposed investment supports the organization’s objectives. Once you’ve won that argument, bargaining over the specific amount to spend will be much easier.
To that end, we can frame this challenge as a series of questions that board directors are likely to ask when the CISO is seeking more cybersecurity investments.
7 Questions Board Members Want Answers To
1. What are we doing, in the simplest terms?
Always remember that most board directors don’t hail from a cybersecurity backgrounds. Most will be at least passably conversant in cyber issues, but you’ll be lucky to have one true cyber expert in the room. Moreover, only the largest businesses will have a board-level committee dedicated to cybersecurity and IT risk. Most organizations will roll cybersecurity into a more general “risk committee” that handles compliance, corruption, or other risks.
As a practical matter, then, a CISO must assume the board needs cyber investments explained in non-technical terms. For example:
Bad –“We need a tool to automate our risk and control mapping for NIST 800-171.”
Better –“Defense contractors must meet a government security standard called NIST 800-171. We need to buy a tool to help us understand how much of that standard we already meet and what else we’ll need to do.”
2. How does this support our strategic business objectives?
“Strategic business objectives” is a fancy way of saying “business goals.” That’s what the board wants to know: how your proposed investment will help the organization achieve its goals.
Go back to our NIST 800-171 example above. You could say something like, “If we want to bid on defense contracts, we need to comply with that cybersecurity framework. That’s an onerous undertaking. An automated tool will save costs on manpower and reduce our chances of error.” In other words, the investment will help the company reach a new customer base.
Other business objectives could be increased operational efficiency (“By moving to single sign-on, our employees will be more efficient in their many duties”), new product offerings (“Automated patch management will let us upgrade our SaaS products more quickly”), or some other business goal. The point is simply that you can show the board how your proposed cybersecurity investment helps to achieve those objectives.
3. How does this help us achieve regulatory compliance?
Compliance objectives are just as important to boards as business objectives, and sometimes even moreso. Wherever possible, explain how your proposed investment will either satisfy some specific regulatory requirement or make your current compliance efforts more efficient.
This is also where CISOs should think shrewdly about the specific investments they want to make. An investment that can satisfy multiple compliance obligations will be better received than an investment that satisfies only one; and an investment that can leave your organization better positioned to satisfy any new compliance demands (say, an automated vulnerability scanning tool) will be most popular of all.
4. How does this cybersecurity investment relate to our risks?
Just like CISOs, boards worry about risk all the time. Their job is to understand all risks relevant to the organization and its mission, and then to assure that systems are in place to keep those risks at acceptable levels while the organization tries to achieve its business objectives.
To that end, boards will want to know how your proposed investment relates to the risks they’re watching. The more risks your proposed investment will address, or the more serious and pressing the risks it can address, the better.
Risk assessments offer a great chance to highlight the significance of security throughout your organization. They enable your team to improve communication and cooperation skills, which will be crucial in managing future risks effectively.
One could also think of it this way: tying your proposed cybersecurity investment to certain risks helps the board understand the priority your investment should receive. For example, if the company hasn’t been encrypting personal data, you could say, “This is a huge regulatory and reputational risk for the company. My proposed tool to automate encryption will reduce that risk to a much lower tier of concern.”
5. How will we measure the success of this investment?
This question is a natural follow-up to the preceding one. It’s not enough to say that your proposed investment would lower a certain risk from the “high” to “low” category. Boards will want to know exactly how you plan to measure that progress.
This is where key performance indicators (KPIs) and key risk indicators (KRIs) will be critical for mapping your success. You’ll need to explain which KPIs and KRIs relate to your proposed investment and potentially even set target goals for what those KPIs and KRIs should look like after implementing the investment.
For example, if you want to invest in software to map your existing controls to various compliance frameworks, you might define success as documenting controls for all framework demands in the first year; followed by a program of replacing manual controls with automated controls in the second year; and then at least 90% of all controls tested as effective in ongoing years.
6. What reports will we get?
CISOs are in the business of assuring the board that cybersecurity risks are being kept in check. As you make new investments and strengthen the organization’s cybersecurity posture, the board will want to know how that might change the assurance you provide.
This could be as practical as existing reports, with whatever KPIs and KRIs they contain, being presented in new ways — say, with more charts and graphs rather than dense tables of numbers. It could also be something as substantive as entirely new KPIs or KRIs that you previously couldn’t track.
More broadly, the point of new cybersecurity investments for you, the CISO, is to give you more insight into your cybersecurity risks. Consequently, that changes the conversation you can have with the board about cybersecurity risk because you now have better insight. Explain to the board how you’ll be able to have better, more productive conversations with them thanks to the investment you want to make.
7. What are the TCO and ROI of this cybersecurity investment?
The questions above all address the strategic or operational benefits of your proposed investment, but money still matters. The board will want to know the total cost of ownership (TCO) and the return on investment (ROI) for your grand plans.
Total cost of ownership (TCO) is not simply the cost of purchasing or developing the tool you want. You also need to include any other expenses that might arise as part of supporting this investment, such as the costs for:
- Training employees, including time spent away from their routine jobs;
- Maintaining the software, such as future upgrades;
- Terminating any existing legacy systems;
- Severance to redundant employees, if any;
- Additional bandwidth, equipment, or other IT assets.
All of that needs to be included in the TCO estimate, since implementing new software or security procedures can be enormously disruptive. Surprising the board with such expenses after they approved a project assuming lower costs will do you no favors.
Your cybersecurity ROI estimates need similar precision. For example, say you want to automate security testing. Estimate the time your team spends on those tests manually. Consult with HR on the compensation costs for those employees (including hidden costs for healthcare or other benefits), and calculate the dollar value of the time spent on testing. Then, show how your proposed automation investment would cut those costs and free up your employees to tackle other, more valuable work.
Do the math. If you have 10 employees who spend an hour each day testing security controls, that’s 2,600 working hours yearly. If the company’s total cost for a security employee (salary, benefits, overhead) averages $80 an hour, that’s $208,000 the company spends every year on manual testing. If your automation solution costs $100,000 annually, the company saves $108,000 annually on testing— improving its performance since automated testing has fewer errors than manual tests. That’s the ROI for the project.
Align business objectives to demonstrate the value of cybersecurity investments
As we said at the beginning, board directors want to support cybersecurity. They just struggle to balance cybersecurity needs against the many other objectives they’re trying to support. So they need help understanding how your proposed investment will help those other objectives, in as cost-efficient a manner as possible.
That’s one part ROI and TCO projections, certainly. But the larger conversation is explaining how your proposed investment supports the company’s strategic objectives, operational needs, and regulatory risks. Win that battle, and victory will be much closer regardless of the numbers.
While financial considerations matter, the broader conversation should emphasize how these investments fortify the organization’s mission. CISOs can secure board approval for cybersecurity investments by crafting a compelling narrative that underscores the alignment with strategic objectives, regulatory compliance, risk management, and measurable success.