Selling the value of IT security to the boardroom

Talking to the board about IT security can be a daunting experience. Ron Condon speaks to senior IT professionals about how to manage meetings in the boardroom.

IT professionals can expect to mix in higher circles these days. Each new well-publicised IT security incident raises an obvious question across the boardrooms of Europe: could it happen here? And who better to ask than the IT director?

For many professionals who have risen through the ranks from a technical background of programming and systems work, dealing with higher management can be a bewildering experience.

The IT professional may find it difficult to explain complex and technical issues to a group of people who struggle to program the VCR. At the same time, senior management may wonder whether this person spouting unintelligible jargon and endless acronyms really is the right person to guard the organisation's brand and reputation.

There is only one effective way to bridge the divide between general management and IT, and that is for IT professionals to learn the ways of the business.

Do your preparation

Paul Dorey, director of digital security at oil firm British Petroleum, has plenty of experience presenting IT security to senior management at a number of large organisations. In his experience, preparation is vital.

Dorey's first piece of advice is to know why you are talking to the board. If you know why you are there, it will inform the content of what you are going to say, and also your expectation of what is going to happen as a result, he says.

The board's main concern is due diligence, which will help them with strategy and risk overview. It is not about agreeing a budget. You do not get a "do this" decision from the board, but you might get a "we concur with your direction" decision, according to Dorey. Either that or they will bring their own experience to guide you.

Dorey's second piece of advice is to use the language of business, not technology. "Use the language of the board, the language of business. This is generally the language of risk. They know that every commercial venture involves a risk, so they understand the concept very well," he says.

This advice is echoed by others who have made it to the top. Paul Wood, group business protection director at insurance group Aviva, says, "Keep it plain, simple, precise and punchy, and align it to a message that is going to mean something to them.

"The key is that they are business people, not IT specialists. You have got to sell it in exactly the same way as they are receiving every other proposal. If you talk in jargon, you will turn them off."

If you need to talk about specifics, he says, try to make it relate to something they can understand. For instance, if you need to talk about passwords, you could relate it to their own experiences of online banking.

Don't talk techie

Marcus Alldrick, principal adviser at consultancy KPMG (and a former head of information security for Abbey National), is even more blunt. "The board are interested in issues, they do not want to talk techie. They want to hear about solutions, not problems. They want to know the implications of those solutions, and not least the cost," he says.

"Increasingly, they are looking for cost benefits and what the value is to the company. So we are talking risk, and you have to couch it in business terms."

But if you have not had much practice speaking in business terms, where do you start? Dorey's advice is to acquaint yourself with the overall strategy of the business, and not just with its IT needs.

"Know the business priorities and the context in which you are presenting. Also understand what level of materiality is relevant to them. If you tell them they stand to lose £1,000, they may just shrug their shoulders. They are used to dealing with large numbers."

That is not to say you should wait for every threat to IT security to become a big one before warning the company. If you can show a growing risk trend and make an informed prediction of a material threat, then that is valuable.

"Every IT security event starts with a series of small happenings - outside the company if you are lucky," says Dorey. "Then when these events trend upwards, you can extrapolate and show it will cause problems in future."

Also try to support your arguments with outside sources, such as surveys and reports. "A graph is much more impressive than a scare headline from a newspaper," Dorey says.

Alldrick underlines the point. "You have to be able to show evidence to support your proposals. You are dealing with business people. The common denominator that they all understand is risk, whether it is credit risk, market risk or operational risk. You have to go in on that basis. It is no good going in on a technical solution that has no commercial justification."

Eye-catching initiatives

Catching the attention of the board can sometimes require a certain amount of shock tactics. One senior IT officer, who asked for his company not to be identified, came up with an original way of explaining why the company website needed to be protected from defacement and attacks.

He commissioned CNN to create a spoof TV news report about his company, in which the company website had been defaced with obscene material. In the report, the chairman of a major retailer was interviewed, saying that his daughter had seen the offending material on the internet, and that he would be cancelling all orders for the company's products.

The graphic illustration of the potential repercussions of poor website security persuaded the board to allocate budget to ensure nothing like that could happen in real life.

But that kind of approach needs to be treated with caution, says Wood. "Do not always go with a horror story, and do not try to frighten the board into reacting. Keep a pragmatic and balanced viewpoint," he says.

"They will call your bluff one day. And you do not want to be known as the man who always delivers bad news."

Professional responsibility

Dorey points out that the person responsible for IT security carries a heavy responsibility. "To mislead the board is unethical and probably illegal.

"If you pitch something incorrectly, by claiming something is a regulatory requirement when it is not, by trying to twist the truth a bit in order to help your story, then you are misleading a board of directors," he says.

"Equally, if you say, 'do not worry about this stuff, it does not matter' and you are wrong, you have gone the other way."

The key is to gain trust long before you enter the boardroom. The successful IT professional needs to step outside the IT department and get to know, and be known by, the rest of the organisation.

"My advice is to get as much exposure to senior management as possible," says Alldrick. "Try to attend meetings where senior management are present. Understand and appreciate the issues that they are dealing with in other parts of the business."

Wood also highlights the need to network within the organisation. "People need to know you," he says. "You need to get to know the board members and their key stakeholders, and influence those key stakeholders."

By planting your ideas at the level below board members, the IT professional can ensure the message infuses the organisation. Then, when you go to the board your ideas will not be entirely new to them, Wood says.

"You have to be seen on the same levels as their peers. You have to embrace the business and make sure that you understand the business vision and what drives it forward. Get informed about what is happening so you are not just talking security bits with them," says Wood.

No annual report, no comment

If you do nothing else, says Dorey, make sure you read the company's annual report, which can reveal a lot of useful information about the company's strategy and goals. And read the Financial Times, too.

"Read the Financial Times for at least a week before presenting, because that will influence the opinions of the board. It is what they read. And there is nothing like saying 'as today's Financial Times said...' to impress them."

Finally, although it is well worth getting close to the board, the IT professional also has to maintain a professional distance. As the recent and well-publicised spying scandal at Hewlett Packard revealed, companies sometimes ask their staff to indulge in unethical behaviour, and the IT professional has to know when to say no.

All the IT professionals interviewed for this article emphasised the need to maintain formal links with the audit department.

Alldrick recommends "a good, healthy relationship with both internal and external auditors," as well as links to other board directors so that you have an "escape valve" if you are asked to do something unethical, such as deceiving the regulator or spying on a competitor.

For Dorey, the line should be clear. "You have to be true to yourself as a professional, and say 'I cannot do that'. Then you probably have to go off and polish up your CV."

● This article was originally published in Infosecurity magazine, May-June 2007

CIOs must prompt board rethink on IT >>

Boards opening up to the IT message >>

Data breach costs surge >>


Read more on IT jobs and recruitment