You feel a mixture of nervousness and excitement. You’re going to present a cybersecurity solution to your company’s board of directors. This is your chance. You have to convince them. You know it will be a challenge because cybersecurity’s benefits are typically intangible—there are no direct profits and success is only achieved when nothing happens. So how can you prepare? You need to know some questions they’ll likely ask. Here are four:
1. Do we really need to be concerned about cyberattacks?
This question is geared toward the cyber threat landscape. Board members may have read an article about a recent cybersecurity attack, seen some alarming statistics, or may be getting regulatory pressures to beef up security. They’re likely to ask how real the danger is and how your current security protocols compare to their peer organizations.
Related questions: What about that big security breach story in yesterday’s news? How do our defenses stack up against other companies?
Answer: First, speak broadly about security issues and the different ways to respond. List weaknesses in your current security and how other companies are addressing similar gaps. Be upfront and mention that threats are always evolving and it’s impossible to be 100% secure, but the goal is to mitigate cyber risk as much as possible.
Next, get specific. Show them that quantifying your cybersecurity posture is essential, and the standard way to do this is with an established security framework like the CIS Controls or NIST CSF. This will take some of the pressure off you and help convince the board that your recommendations are not just your opinion — they are compliance-related data points you’ve collected using a recognized security framework.
2. What are our top threats and how likely are they?
This is a classic risk management question, and its real purpose is to understand how to prioritize urgent versus non-urgent tasks. You already know that cybersecurity risks are diverse and can impact a business in many ways, including a company’s financials, compliance with industry regulations, and its reputation. So don’t be surprised if you get questions related to these topics as well.
Related questions: What is at stake? Are we trending up or down in security posture?
Answer: Identify the highest risk areas in the company and make specific suggestions about how you can allocate resources to protect them. Point out areas outside of the company’s risk tolerance level and how your proposed cybersecurity solution can bring things back into balance. Typically, decision makers without cybersecurity expertise will underestimate the rapid evolution of cybercrime, so they need to know that measures the company took a year or two ago may now be inadequate.
3. What immediate improvements will we see?
Realize this is not a question solely about security. While of course your cybersecurity posture will improve after investing in it, there will also be a cascade of benefits for the company as a whole.
Related questions: What are the day-to-day benefits? How will this help our team?
Answer: While improvements will be multifaceted, start your answer focused on security. Name some specific benefits you’re likely to see within the first week and month of implementation. One of those is likely to be that all staff members will be better trained to spot cyber threats, immediately strengthening the security of the entire company. But don’t stop there.
Also, explain how hiring a vCISO or MSP partner to co-manage your security will free up your IT team’s time. This will allow people to concentrate on strategic goals and other projects that have been pushed aside due to security demands. With less security responsibilities, staff will be more focused and not spread so thin, which will lead to happier employees and a more inviting workplace to attract top talent.
Lastly, improved cybersecurity can protect your business’s reputation. With less chance of being hacked, you reduce your risk of losing current and future customers to a breach that compromises their data. You can promote your security upgrade in your marketing materials (like a brochure or your website) to show potential clients that you take their data security seriously.
4. How much do we need to invest in cybersecurity?
Board members tend to think of the business as an investment and are typically concerned with ROI metrics for this reason. As mentioned above, many benefits of cybersecurity investment are intangible – the objective, after all, is for events not to happen – but that doesn’t mean you can’t give them some clear estimates of how much security is needed to improve the business. Board members ultimately want to see the business grow, so here’s your chance to touch on this motivation.
Related questions: What kind of ROI can we expect? How will resources be allocated?
Answer: Focus on the business’s quarterly and annual goals, and illustrate where you are now and how cybersecurity helps achieve those goals. While the topic you’re speaking about is obviously IT, try not to focus too much on technology. Instead, keep your message about the business performance outcomes that are dependent on technology, because that is what the board truly cares about.
Present to the board of directors with confidence
You’ve prepared, you have a game plan, you know what the board will ask in your security presentation. So walk into that board meeting standing tall. You truly know that better cybersecurity will benefit your company, so explain exactly why that is.
To really impress them, consider presenting the exact security solution you’ll implement. Umbrella can be that solution. We specialize in helping businesses co-manage their IT security, and we’ve seen our clients benefit from our services firsthand. If you’d like to learn more about how we can help protect your company while freeing up your time, get in touch with us today.