How William Hill's CISO sells cyber security to the board: Simple, practical, pragmatic and obvious

CISOs need to sell security to the board like a marketeer, says William Hill's Group CISO Killian Faughnan

A successful CISO should sell cyber security to the board with the technique of a marketer, William Hill's Group CISO Killian Faughnan has argued.

Speaking today at Infosecurity Europe 2019 today, Faughnan said that while cyber security "thrives on truth", the board will already come with their own preconceptions about the CISO's own truths - who they are, and what they believe.

"So two word are important at this point," said Faughnan - "the word marketing, and the word customer. Because what we're doing is marketing a product to our customer - we're marketing security".

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

Faughnan said that, coming from a traditionally technical cyber security background, he initially balked at taking on such a soft skill position, but found the idea of better understanding the complexities of the board as a group of individuals a key to making a breakthrough.

"Board members are people too," he said.

You probably only have 15 minutes to engage - even if you've booked a 30 minute slot

"They are not homogenous institutions. They have different goals and agendas, and different world views.

"You need to understand what the CEO wants, and the CTO, the CFO - there will never be one homogenous set of things. You need to know what motivates and drives them."

Once you know your customer, you need to know your product, Faughnan continued.

"It should be simple, practical, pragmatic and obvious," he emphasised. "You probably only have 15 minutes to engage - even if you've booked a 30 minute slot."

If you distract them with data - they'll just hire someone else

One explanatory aspect Faughnan said he has learned to temper in his time as a CISO is blinding a board with an over-abundance of data - including a dizzying array of pie charts and numbers.

"If you distract them with data - they'll just hire someone else," said

"Your job [as CISO] is to take all that data, cut it down to something meaningful, and present it to the board in a way that makes them trust you."

Your job is to take all that data, cut it down to something meaningful, and present it to the board in a way that makes them trust you

Faughnan said any CISO should be aiming to bring an entire security board-level security conversation down to just one presentation slide.

"Obviously, you'll never get down to one slide, but you should be aiming for that - day in, day out," he said.

"There [should always be] three things you can distil it down to. What you should be aiming for is to say, ‘We're doing well, see you next quarter', or ‘We're not doing well, we need to have a chat' - simple messages that make them trust you."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.