As a chief information security officer (CISO), meeting with your board usually involves a budget request or an issue that needs solving. But what if you’re asked to justify your data loss prevention (DLP) program because you require funding? How do you keep your discussion targeted for a nontechnical board and get the funds you need to defend your organisation's data?
Meeting with the board to discuss information protection is different from meeting with your C-level executives, but many aspects remain the same. When presenting your program, it’s critical to know your audience, focus on the key messages you want them to remember, avoid using acronyms and technical terms, and above all, be succinct.
Know your audience
Research your board of directors to understand their backgrounds and experience. Each board member brings different experiences and skills to the board. Communicating using business terms will facilitate a higher level of understanding. This information can also help you determine which examples are best to use when referencing specific data loss scenarios.
Focus on key messages
Part of our job as CISOs is to educate and inform. It’s easy to forget that we’re cybersecurity experts.
When we discuss information protection, the five points to address include the data protection strategy, financial implications, business and cultural impact, and risks. Emphasise the results to be achieved through risk reduction—stakeholder value, brand reputation, and legal and regulatory compliance.
Avoid using acronyms
DLP, IP, GDPR, and HIPAA are all terms that most CISOs understand and use in conversation. Enterprises also have various internal acronyms and project names intended to simplify communication. However, for the uninformed, they can distract attention from the message being delivered.
The board may be familiar with information protection acronyms, but your message will resonate better when you avoid acronyms and internal project names whenever possible.
Taking the time to prepare, knowing your audience, and focusing on your key messaging will enable you to deliver your message clearly and confidently to the board. Help them understand the challenges and opportunities the organisation faces with information protection. Be sure to address the specific risks being mitigated and the potential impact of inaction. Finally, conclude your discussion by reiterating your key messages.
To learn more about talking to the board about DLP, join Dr. Deborah Watson, resident CISO at Proofpoint, on Tuesday, 7 March, for a 30-minute discussion about what every CISO needs to know before they approach the board about enhancing their DLP program.
This webinar is the first in a three-part series for CISOs. You will learn:
- How to discuss the DLP problem you face
- How to discuss the data you need to protect and why it’s important
- What’s needed to close the gap in your organisation to defend against insider threats and compromised users effectively
Register for the webinar to reserve your spot for Dr. Watson’s webinar on a CISO’s Guide to Justifying the Importance of Your DLP Program to the Board.