IT professionals can expect to mix in higher circles
these days. Each new well-publicised IT security incident raises an
obvious question across the boardrooms of Europe: could it happen
here? And who better to ask than the IT director?
For many professionals who have risen through the ranks from a
technical background of programming and systems work, dealing with
higher management can be a bewildering experience.
The IT professional may find it difficult to explain complex and
technical issues to a group of people who struggle to program the
VCR. At the same time, senior management may wonder whether this
person spouting unintelligible jargon and endless acronyms really
is the right person to guard the organisation's brand and
reputation.
There is only one effective way to bridge the divide between
general management and IT, and that is for IT professionals to
learn the ways of the business.
Do your preparation
Paul Dorey, director of digital security at oil firm British
Petroleum, has plenty of experience presenting IT security to
senior management at a number of large organisations. In his
experience,
preparation is vital.
Dorey's first piece of advice is to know why you are talking to
the board. If you know why you are there, it will inform the
content of what you are going to say, and also your expectation of
what is going to happen as a result, he says.
The board's main concern is
due diligence, which will help them with strategy and risk
overview. It is not about agreeing a budget. You do not get a "do
this" decision from the board, but you might get a "we concur with
your direction" decision, according to Dorey. Either that or they
will bring their own experience to guide you.
Dorey's second piece of advice is to use the language of
business, not technology. "Use the language of the board, the
language of business. This is generally
the language of risk. They know that every commercial venture
involves a risk, so they understand the concept very well," he
says.
This advice is echoed by others who have made it to the top.
Paul Wood, group business protection director at insurance group
Aviva, says, "Keep it plain, simple, precise and punchy, and align
it to a message that is going to mean something to them.
"The key is that they are business people, not IT specialists.
You have got to sell it in exactly the same way as they are
receiving every other proposal. If you talk in jargon, you will
turn them off."
If you need to talk about specifics, he says, try to make it
relate to something they can understand. For instance, if you need
to talk about passwords, you could relate it to their own
experiences of online banking.
Don't talk techie
Marcus Alldrick, principal adviser at consultancy KPMG (and a
former head of information security for Abbey National), is even
more blunt. "The board are interested in issues, they do not want
to talk techie. They want to hear about solutions, not problems.
They want to know the implications of those solutions, and not
least the cost," he says.
"Increasingly, they are looking for cost benefits and what the
value is to the company. So we are talking risk, and you have to
couch it in business terms."
But if you have not had much practice speaking in business
terms, where do you start? Dorey's advice is to acquaint yourself
with the overall strategy of the business, and not just with its IT
needs.
"Know the business priorities and the context in which you are
presenting. Also understand what level of materiality is relevant
to them. If you tell them they stand to lose £1,000, they may just
shrug their shoulders. They are used to dealing with large
numbers."
That is not to say you should wait for every threat to IT
security to become a big one before warning the company. If you can
show a growing risk trend and make an informed prediction of a
material threat, then that is valuable.
"Every IT security event starts with a series of small
happenings - outside the company if you are lucky," says Dorey.
"Then when these events trend upwards, you can extrapolate and show
it will cause problems in future."
Also try to support your arguments with outside sources, such as
surveys and reports. "A graph is much more impressive than a scare
headline from a newspaper," Dorey says.
Alldrick underlines the point. "You have to be able to show
evidence to support your proposals. You are dealing with business
people. The common denominator that they all understand is risk,
whether it is credit risk, market risk or operational risk. You
have to go in on that basis. It is no good going in on a technical
solution that has no commercial justification."
Eye-catching initiatives
Catching the attention of the board can sometimes require a
certain amount of shock tactics. One senior IT officer, who asked
for his company not to be identified, came up with an original way
of explaining why the company website needed to be protected from
defacement and attacks.
He commissioned CNN to create a spoof TV news report about his
company, in which the company website had been defaced with obscene
material. In the report, the chairman of a major retailer was
interviewed, saying that his daughter had seen the offending
material on the internet, and that he would be cancelling all
orders for the company's products.
The graphic illustration of the potential repercussions of poor
website security persuaded the board to allocate budget to ensure
nothing like that could happen in real life.
But that kind of approach needs to be treated with caution, says
Wood. "Do not always go with a horror story, and do not try to
frighten the board into reacting. Keep a pragmatic and balanced
viewpoint," he says.
"They will call your bluff one day. And you do not want to be
known as the man who always delivers bad news."
Professional responsibility
Dorey points out that the person responsible for IT security
carries a heavy responsibility.
"
To mislead the board is unethical and probably illegal.
"If you pitch something incorrectly, by claiming something is a
regulatory requirement when it is not, by trying to twist the truth
a bit in order to help your story, then you are misleading a board
of directors," he says.
"Equally, if you say, 'do not worry about this stuff, it does
not matter' and you are wrong, you have gone the other way."
The key is to gain trust long before you enter the boardroom.
The successful IT professional needs to step outside the IT
department and get to know, and be known by, the rest of the
organisation.
"My advice is to get as much exposure to senior management as
possible," says Alldrick. "Try to attend meetings where senior
management are present. Understand and appreciate the issues that
they are dealing with in other parts of the business."
Wood also highlights the need to network within the
organisation. "People need to know you," he says. "You need to get
to know the board members and their key stakeholders, and influence
those key stakeholders."
By planting your ideas at the level below board members, the IT
professional can ensure the message infuses the organisation. Then,
when you go to the board your ideas will not be entirely new to
them, Wood says.
"You have to be seen on the same levels as their peers. You have
to embrace the business and make sure that you understand the
business vision and what drives it forward. Get informed about what
is happening so you are not just talking security bits with them,"
says Wood.
No annual report, no comment
If you do nothing else, says Dorey, make sure you read the
company's annual report, which can reveal a lot of useful
information about the company's strategy and goals. And read the
Financial Times, too.
"Read the Financial Times for at least a week before presenting,
because that will influence the opinions of the board. It is what
they read. And there is nothing like saying 'as today's Financial
Times said...' to impress them."
Finally, although it is well worth getting close to the board,
the IT professional also has to maintain a professional distance.
As the recent and well-publicised spying scandal at Hewlett Packard
revealed, companies sometimes ask their staff to indulge in
unethical behaviour, and the IT professional has to know when to
say no.
All the IT professionals interviewed for this article emphasised
the need to maintain formal links with the audit department.
Alldrick recommends "a good, healthy relationship with both
internal and external auditors," as well as links to other board
directors so that you have an "escape valve" if you are asked to do
something unethical, such as deceiving the regulator or spying on a
competitor.
For Dorey, the line should be clear. "You have to be true to
yourself as a professional, and say 'I cannot do that'. Then you
probably have to go off and polish up your CV."
● This article was originally published in Infosecurity
magazine, May-June 2007
CIOs must prompt
board rethink on IT >>
Boards opening up
to the IT message >>
Data breach costs surge >>