Over the years I’ve had the opportunity to present to many senior leadership teams, and on a few occasions, to the Board of Directors (BOD). It is interesting to see what IT Security practitioners choose to present when the receive this opportunity. A majority of the time, they create a hefty slide deck filled with technical slides including security statistics, logs and even pictures of the amazing security architecture. The deck is probably about 25 slides long and they have been given 20 minutes to present somewhere deep in the BOD’s scheduled meeting. They present the slides, barely get finished and nobody has any questions. As a matter of fact, there is mostly blank looks around the table or the people present have resorted to checking their phones to catch up on e-mail they have missed for the last few hours.
More than likely, the BOD didn’t follow the technical jargon that was used and were left wondering if their security program is supporting what they are trying to accomplish at the organizational level. The IT Security person probably left the meeting feeling like they should have included a few more stats about the latest technical product they just managed to purchase after begging the CIO for the past year and a half. Clearly, this did not meet the needs of either party.
After seeing this many times, and thinking about why it ends up this way, it finally struck me.
The distance between the BOD and the IT Security department is too far apart for them to understand each other without one party making an effort to communicate in the other’s context.
What do I mean by that? The graphic that follows represents the thinking on this.
The general structure follows the following pattern:
- The BOD exist within an organization to provide strategic guidance through the members’ vast experience in their area of expertise. Essentially, they provide input on the Enterprise Strategy.
- The Senior Leadership Team takes over and formulates the overall Business/Line of Business (LOB) Strategy that supports the Enterprise Strategy. If the LOB’s are distinct, they may each work on their own LOB Strategy and then bring them together and ensure that they all link together and also supports the Enterprise Strategy.
- With the Business/LOB Strategy in place each senior leader now begins to identify the Tactical Business Plans in order to achieve the Business/LOB Strategy. These plans may include enhancements or additions to existing operations (this often translates into projects for IT).
- With the CIO being part of the Senior Leadership team (hopefully this is the case – it’s not in all the places I’ve been), they can now begin to formulate an IT Strategy that supports the Tactical Business Plans that have been made. This should be done in conjunction with the Senior IT team, led by the CIO.
- The completion of the IT Strategy, once again, in support of the Tactical Business Plans, will lead to Tactical IT Plans. If you are an IT person, these are the projects that you would be working on for the next period (could be weeks, months or years) to complete the IT Tactical Plans in support of the IT Strategy.
- The IT Security Strategy is then developed/modified to ensure that they are able to provide the security services needed to support the IT Tactical Plans and continue to provide support for the existing IT Services.
- Finally, IT Security Tactical plans are created in order to define those projects that will need to be undertaken in an effort to create the new or enhance the existing IT Security Services (IT Security Projects), and ensure that all IT Services are provisioned with the appropriate IT Security controls.
If you are a little dizzy after reading the above description, it should be no surprise why most IT Security to BOD communications are poor. Two very obvious reasons stand out from the description above:
- The process to get from Business Strategy to IT Security Tactical Plans is long and complicated. Most organizations that I have worked with, don’t do this very well and as a result it is extremely difficult to map IT Tactical Plans to Business Strategy Objectives.
- At the BOD meeting, most IT Security practitioners speak from the perspective of the latter two boxes on the diagram. Since the BOD are focused on the first two boxes on the diagram, when IT Security comes in and speaks from their context, it’s like they are speaking another language that the BOD do not understand.
OK – so how do we fix this? Here is what I recommend:
First, it’s the IT Security person’s responsibility (I will assume it’s the CISO here) to take the IT Security Tactical Plans and map backwards up the chain to show how what they are doing supports the Enterprise Strategy. Please note – this is not easy. If the organization has not followed some semblance of the process noted above to get from Enterprise Strategy to IT Security Strategy, then you will most likely not be able to map directly backwards. You may have to skip the middle steps and map directly to the Enterprise Strategy. As someone with a Masters’ in Leadership, I would say that if you cannot map backwards all the way, you will find that the individuals in the IT shop are most likely not as engaged as they could be. The power of understanding how one contributes to the bottom line success of the organization cannot be overstated. If you are a leader in an organization reading this – and you cannot map backwards to your Enterprise Strategy – then you may want to find the gaps and fix them.
Once you are able to map backwards to the Enterprise Strategy, look to showing HOW the things you have in place are supporting the strategic items. This is “speaking the BOD’s language”. They want to understand HOW what you are doing helps them move forward. Some of the stats that you collect can be useful here, things like (not exhaustive, but you will get the idea):
- Uptime – this means that the IT devices required to run/achieve the tactical plans can be achieved
- Increase/Decrease in Security Incidents – shows that time is spent working on the tactical/strategic plans and not cleaning up security incidents
- Number of Repeat Incidents – again, if you are hit by the same ransom-ware attack three times, it means that, again, time is spent on remediation and not on achieving the strategic and tactical goals (it may also mean that you are not learning from the incidents like you should)
- Items you caught before they became a problem – once again, this leads directly to how IT Security helps ensure that Strategic/Tactical initiatives move forward because of the things IT Security has done.
On top of speaking the BOD’s language, I recommend a three staged approach to communicating that allows you to get what you need across to your audience:
- Tell them the things that have gone well/working well – this can include items from the previous list, supported with statistics.
- Tell them areas where improvement is needed – nobody likes to bring bad news to the BOD (especially the CIO); however, the BOD really needs to understand the state of affairs as it exists in the organization. Always present this with a plan on how you are going to move forward. Otherwise you just look like a complainer.
- Ask for their help – BOD’s are typically loaded with very talented people who want the company to do well. The kind of help you should ask for is in the area of priority (if you need help getting the priority of something raised to get it accomplished), process (I was in one organization where there was no defined process to get security standards approved) and resources (if you can demonstrate how resources in a certain area can aid in achieving the Enterprise Strategy and/or Business Strategy & Tactical Plans).
It is possible to have productive communications between both ends of the organizational spectrum; all it takes is a little effort to speak their language.