Presenting IT & OT Cybersecurity Strategy to Executives / Board of Directors

This is 12th edition of the #SecuringThings newsletter. Taking this opportunity to thank all readers and subscribers for their support, appreciation and engagements.

---------------------------------------------------------------------------------------------------------

This edition will be in continuation to 9th edition - Digital Transformation & Cybersecurity Premier (an introduction) and 11th edition - IT & OT/ICS Cybersecurity Strategy that talks about drafting an integrated IT and OT/ICS Cybersecurity strategy or independent ones. In case you've missed them - highly recommend reading them first before reading this edition of newsletter.

So let's get started. Are you ready?

Now that you've laid out high level steps of #digitaltransformation and #cybersecurity #strategy journey and then have finished drafting/developing the #cybersecurity strategy (phase 1 in strategy lifecycle), the next step is preparing and presenting the cybersecurity strategy to business executives and or to the board of directors to get their buy-in and approval for funding, executive commitment and resources required to executive the strategy (which is phase 2 in the strategy cycle).

This is probably one of the most daunting and difficult tasks for many, specially for people with technical skills and no management background or business skills, and many struggle to get the message across and don't get the right level of support or funding from business leaders/executives. One would need to remove their technical hats and put on their business hats, to simplify the messaging around cyber risks equation, focus on risks and consequencens that their organization is potentially exposed to.

On daily basis, the business executives and board of directors are ensuring that they are taking the right decisions to move the business forward by managing varying types of risks (financial, reputational, legal, environmental, ESG, operational, etc.) that their business operations need addressing, so that their investments decisions are prioritized.

Before the Presentation

Research the executive audience you'll be persenting to, do some research on the executive attendees (what they like to discuss/interests, persona types etc.). If you personally know them you may have an advantage (but in some cases, its very likely that you don't interact them on daily basis), if not closely, do ask people around that have given presentations and take into account their feedback on what works and what may not work.

Presentation (Content Preparation-to-Delivery)

The Story line

Make it sound like you are taking them on a short, precise, quick journey where you are projecting the current state of affairs, what's your recommended target state looks like and what would it take the business to achieve the target state - i.e. a managed risk state.

Presentation Content

Below highlights an example Agenda:

Agenda/Presentation Title - choose a catchy agenda title that could draw attention (that something important is coming) - and may resonnate with business vision and or business priority goals. E.g.:

• Global Cybersecurity Strategy (2023-2026) or
• IT & OT/ICS Cybersecurity Strategy & Program Roadmap - A structured risk reduction approach.

Note: choose your own environment and best scenario specific titles.

(note:

• BrandName/Products/Services could be replaced by your specific business elements e.g. X Food & X Beverages brand or product names / services - anything that's business specific.
• depending upon the executive leadership style, some would prefer the asks i.e. item 4 in above picture to be put infront earlier in the presentation, before you talk about 2 and 3. Therefore, adjust accordingly).

Ensure you understand the current business climate and situation and if its the right time to ask in the first place. Budget submission period is perfect but you need to spread the awareness among peers and other parts of business well in advance to get a buy-in in time for the budget.

Be as specific and precise as possible on the asks from the executives (e.g., resource requirements, staff involvment, approvals and funding etc.).

Taking Inspiration from different experts from the field

Its great to learn from experts that share some wonderful techniques on how they are moving ahead with their plans, what hurdles they face and how they've overcome them including ideas on what to present and what not to cover.

Below are a list of few of many such great video presentations for reference:

1. A case study master class on Reporting Cyber Risk to the Board by Omar Khwaja - YouTube (by Omar Khawaja )
2. A Practical Approach to Presenting to the Board of Directors for CIOs #GartnerSYM - (by Tina Nunno )
3. How to Present Cyber Security Risk to Senior Leadership | SANS Webcast - YouTube (by James Tarala )
4. Briefing the Board: Lessons Learned from CISOs and Directors - YouTube (by Alan Paller , John P. )
5. Risk Management & Executive Communication with Patrick Miller (by Patrick C Miller )
6. Cybersecurity Leadership - YouTube (112 videos by #sansinstitute #cybersecurityleadership series - play list) (many presenters to thank for).

Presentation Delivery:

You'll likely only have 30 mins to an hour (if you are lucky) to get your message across and get your messaging stick with executives. So prepare, do some dry runs with colleagues/team, modify adjust.

Be ready to request for another time and or shorten your presentation as its far too often that something urgent will come at last minute. So lets say you should have 15 mins of speech in mind in case the original timeslots shortens up.

Tips: Checkout the above example videos to get insightful tips and approaches.

Takeaways:

Executives and board care about (or tasked to do so) the following few things:

• risks (regulatory, security, brand/reputation, financial, innovation or lack thereof),
• revenue / mission and
• costs (do more with less)
• customers and shareholders.

- a secure, standardized and resilient business operations helps drive all these things towards positive direction and the presentation should touch upon the above points to emphasis benefits across these points.

Good luck for your next IT & OT (or one of them) Cybersecurity Strategy & Roadmap presentation internally or to your clients/customers.

In case its time for presenting your 1st IT & OT Cybersecurity Strategy or time for an update/re-write - feel free to reach out to me via DM or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow @securingthings. It’s a great day to start “Securing:Things”.?

#securingthings ?#itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation ?#ot ?#ics ?#otsecurity ?#otsecuritydozen ?#otcybersecurity ?#icssecurity ?#isa ?#icscybersecurity ??#securedigitaltransformation ?#operationaltechnology ?#industry40 ?#iec62443 ?#criticalinfrastructure ?#criticalinfrastructureprotection ??#criticalinformationinfrastructure ?#sgcii ?#securityawareness ??#otsecurityawareness ?#icssecurityawareness ?#otstrategy ?#iiot ?#icscybersecurityprogram ?#otcybersecurityprogram ?#manufacturing ?#industrialcontrolsystems ?#industrialautomation #strategypresentation #security