5 MIN. READ
It’s that time. You have to report on the state of enterprise security to your board. The presentation is critical: the security of your company, its reputation, and its financial health all depend on you. Your board members need to understand the business risks you face, and how you plan to mitigate them. But their time—and attention—is limited. Keep it short, and make it matter.
Follow these six steps to achieve your goals.
1. Cyber threats are real—stick to the facts
They’ve heard the numbers. As much as $575 billion is lost to cyber crime annually. Data breaches can cost more than $400 million. Information like this falls on deaf ears. Board members are numb. But they need to understand the general risks of doing business online—which are endemic—versus the threats that face your industry, and your business specifically. If your organization’s largest risk is related to a lack of controls or inadequate processes, they need to know that. Most importantly, they need to know what you are doing about it. Don’t go to the board with problems for which you haven’t figured out solutions.
“If you’re not getting the support you need, think of your own reputation and career.”
Tell a compelling story about a security breach, preferably in your industry. Give examples from your own company. Identify critical information assets—intellectual property, sensitive customer data—and paint a picture of what would happen and what it would cost if they were compromised.
2. Provide metrics that convince
If you have gaps in security control that you are struggling to get resources to fix, give them evidence proving that you are continuously under attack and your networks are constantly probed. Make it clear that sooner or later, the bad guys will succeed. Educate them. Surprise them.
- 73 percent of companies suffered at least one security breach in the past year
- About a third of employees targeted for phishing will open fraudulent emails
- More than one in 10 take the bait—and it only takes one
- Less than two minutes elapse from the hacker hitting send to your systems being compromised
- Hackers are inside your organization, on average, for at least four months before they’re discovered
- Web apps are the number one entry point for breaches
3. Get their support in adopting a culture of security
Human error accounts for 58 percent of cyber breaches. A secure business is a business in which everyone is educated about threats and does their part to reduce risk. This starts with rigorous—and repeated—training, and perhaps even commitment to a standard like ISO 27001.
4. Convince them they need incident response help
Encourage the board to face facts: all organizations today face the very real possibility they will be breached. How much damage you suffer depends on how quickly and effectively you respond, so why not get prepared? Most companies don’t have the skills for effective incident response (IR). You need technical, forensic, legal, and public relations support to get through the trauma. Your best bet: a third party with specialized expertise. A good IR firm will have your back.
5. Discuss cyber insurance
Cyber insurance is integral to your security strategy. Yet only 19 percent of companies have cyber insurance. And most are grossly underinsured, with only 12 percent of the total costs of a typical breach covered. Cyber insurance is the fastest-growing insurance in the world, projected to increase 300 percent from $2.5 billion today in annual premiums by 2020. Do the math for your board. Calculate how much your business can absorb from a breach without financial catastrophe. Pick a level of risk that you are comfortable with, and insure the rest.
6. Get them to champion those efforts for which you didn’t get budget approval
You have done your homework and already secured funds for some of your efforts. If you have risk areas that need addressing that you don’t have budget to address, board members need to know this and either accept the risk or champion a solution. There’s no better way to get something accomplished than by saying that “the board” requested it get done.
IN CONCLUSION
As you go through this exercise, be a little selfish. If you’re not getting the support you need to defend against existential threats, think of your own reputation and career. If your board doesn’t get it, it might be time for you to consider your options.
It’s that important.
73%
Seventy-three percent of companies suffered at least one security breach in the past year.
Ryan Kearny was appointed the Executive Vice President of Product Development and Chief Technology Officer at F5 Networks in October 2016. He is responsible for overseeing the company’s technology roadmap and leading F5’s engineering team. Kearny joined the company in 1998 and was named Vice President of Product Development in May 2004 and Senior Vice President of Product Development in January 2012. He holds a B.S. in Electrical Engineering from the University of Washington.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...