Need board support for IT security investments? Think about who they really are first, advises Kier CIO Duncan Stott
Understanding board members can help when making IT security pitches to them, says Stott
CIOs and chief information security officers (CISOs) should research their board members - who they are and what interests them - before pitching for security investments.
That's the advice of Duncan Stott, CIO at construction giant Kier, speaking at Computing's Enterprise Security and Risk Management Live event in London today.
"It's important to think first who our audience are," said Stott. "The board is comprised of special people; unusual people. They look very high and broad across very big programmes. They won't understand much about IT and they certainly won't understand much about IT security. You can't make the IT people, and we can't make them CISOs; yet, they are in the position of power.
"So we need to now who it is we are talking and to think through what the world looks like from their perspective.
"They are often non-executive directors, so they come from other organisations as well.
"When presenting to the board, it's worth research then to find out who they really are and the other organisations they may represent.
"I work at a construction company, but one of our non-executive directors is a university chancellor so she'll probably be interested in the skills angle.
"Another one is on the board of a power station company, so they will have an understanding of infrastructure," said Stott.
They should also have an elevated appreciation of IT security, especially with the introduction of the EU Network and Information Systems (NIS) Directive earlier this year, which mandates elevated levels of security for essential infrastructure providers.
Stott continued: "So it's interesting to think through who your board members really are, to look into their background. What security incidents might they potentially experience in the organisations that they work for, and what are their perspectives going to be."
For example, a university chancellor ought to have an elevated appreciation of end-user risks.
"They are also people who are expert at walking into a place they don't necessarily understand, but making a good judgement on it.
"They could walk into a garden centre, for example, and after a half-hour interrogation give a good judgement on how well the garden centres is running.
"They are good at making objective judgements about the competence of an operation, even if they don't understand the detail of it.
"So it's worth thinking about who the board members really are."
Andrew Hunt, digital data director at Thought Research, added: "The board will not know the detail. They won't understand as much of the detail as you do, so you will need to be able to provide them with relatively simply explanations - not the full technical detail.
"[But] they are astute, so they will understand a lot of what you say, but when you talk about the detail of it all, they may switch off.
"You also have to bear in mind that they also have a wider perspective of the organisation, not just the narrow cyber security side of thingsā¦ Cyber secuity is a small, albeit relatively important, fraction of operations."