Data Breaches: 8 Tips For Board-Level Discussions

With all the recent news of massive data spills and security breaches, corporate boards are asking tough questions of their executive management and, in turn, their information security teams. What did those companies do wrong? How does our company compare? Are we next?

Welcome to the hot seat. You have their attention. Now your job is to leverage this opportunity to garner their respect, deepen their trust, and increase their investment in a strategic information security program. It's going to be a difficult conversation. But the white-hot spotlight gives you a chance to shine.

So in this spirit, here are 8 ways to prepare for the conversation of a career:

Just say no to FUD. When trying to position information security on the executive agenda, many IT-security marketers use fear, uncertainty, and doubt to drive emotional decision-making and, they hope, purchasing. This approach is a remarkably unreliable. Any social scientist will tell you that fear provokes three common human reactions: fight, flight, or freeze. When fear is our baseline emotional state, we are not particularly receptive and, worse, we are often incapable of parsing nuanced information. Simply put, we go into caveman mode. Thanks to events beyond your control, you already have their attention. So skip the FUD. Your job is to conduct a nuanced, information-rich discussion.

Know the stories. With such sensational media coverage, even my mother thinks she knows what caused the Target and Home Depot data breaches. But there is a story behind the headlines. There are trusted people within your network (e.g., analysts, security insiders) who are likely better informed about the chain of events. You want facts, not headlines. Take the time to do some research and be prepared to offer insights not found in the mainstream media.

[Is your IT team among the best? Get the recognition you deserve as part of the InformationWeek Elite 100. Apply today.]

Own your data. If your program is routinely audited by a credible third-party information security firm, you already know where the bodies are buried. Own it. No security program is perfect. Highlight your areas of concern. Be prepared to discuss why you're making certain tradeoffs. Be prepared for full disclosure. Show up with data in hand.

Avoid the blame game at all costs. No security program has infinite resources -- not even the NSA's. And if there were one, I guarantee the program would still be vulnerable. Security is about making tough resource choices all the time. If you have zero budget, you have zero budget. That's a fact. The fault is not the board's or the CEO's lack of vision. If you are the CIO or CISO, the failure lies with you, because up until now, you have been unable to sell them on the program's necessity. Accept all responsibility and move on. Any finger pointing, perceived or otherwise, will only serve to discredit you and your message.

Name the mountain. What would help you sleep better at night? Having routine security code audits of all mission-critical applications? Increasing your audits to quarterly? Having a highly trained incident response team that works closely with an expert crisis communications team on the ready? Choose a large, inspiring strategy, a mountain that your team wishes to climb together. Now let that mountain be your Big Ask of the board.

Highlight your team. You are not an army of one. If you are going to accomplish this mission, the board needs to know that you have capable team members. Showcase them. Highlight their key accomplishments. If you have holes in your team, highlight the hires you wish to make and how their skills are needed, specifically, to climb the mountain.

Prepare for the worst. Inspiration that is not grounded in reality will land half-baked. The reality is stark. Your best efforts will never, no matter what, eliminate the risk of a catastrophic breach. At best, you can prepare your board for that reality and have plans in place to act quickly and intelligently. Plain speaking here will gain you credibility and ground your vision.

Be proactive. In my experience, nothing is harder to fund than proactive behavior. After a breach, budgets loosen. But it is a mistake to ask only for funds required to put out the current fire. This is your moment to ask for the proactive funds needed to build an exceptional, forward-looking program. Is there a proactive project your team would love to do? Ask now. Your chances will never be better.

Information security is a notoriously thankless job. If all goes well, no one notices. It's only at moments like these where a CIO or CISO may even be asked for a board presentation. This is your time to shine. So channel your inner Jean-Luc Picard and make it so.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.