Chapter 3: Self-Preparation: Understand The Business – Selling Information Security to the Board

CHAPTER 3: SELF-PREPARATION:
UNDERSTAND THE BUSINESS

As I said in my introduction, top management is primarily interested in what makes the business work, not in the technology that underpins it. The attention span of individual senior managers can be short and, if their attention is not caught by an issue, they move on to something else without even getting interested in the subject. And if you talk to them in a language they don’t understand, you won’t even capture their attention.

‘Techtalk’ is a language the board doesn’t understand. Security layers, protocols, OSes (operating systems), petabytes, virtualisation and TLAs (three letter acronyms) all leave the board cold.

If you’re going to have a conversation with the board, you have to speak in their language, and focus on the issues that pre-occupy them. In many commercial organisations, for instance, the issues that are front of mind for most executives are:

  • Top-line revenue (or sales income).
  • Gross margin (the difference between sales income and the direct cost of buying or producing what has been sold).
  • The bottom line (or net income, net revenue or just ‘profits’ – how much of the sales income is left after meeting all overheads).
  • Return on investment (also known as ROI – how much is generated by making a specific investment; this might be measured in percentage terms or in absolute terms).
  • Product or service quality (as this is fundamental to maintaining the top-line revenue and the gross margin).
  • Risk management (identifying and dealing with any external factors that could derail the organisation’s plans for increasing its profits).
  • Cashflow (ensuring that there is enough money available to meet the organisation’s financial obligations as and when they fall due).
  • Competition is a key issue for boards. What are our competitors doing? What new products and services are they launching that might impact our top-line revenue and steal our customers? What can we do to steal their customers? Enlightened boards also ask: ‘What might we have to change now in order to compete effectively next year?’
  • Legal and/or contractual compliance (as a failure in either of these could undermine the ability to generate sales revenue, might lead to a distracting court case or public prosecution, and could play havoc with an executive’s career prospects).
  • Boards and top management usually think that measurement is fundamental to how they manage the organisation, saying things like: ‘What’s measured is what gets done’. KPIs (key performance indicators) are the most widely used measurement tool; KPIs can exist for most aspects of corporate performance, and might include ratios like sales conversion rates, sales per square metre, percentage of faults per million manufactured items, and so on. KPIs are only interesting to a board if they really provide a way of assessing whether or not some important part of the operation is performing at the level necessary for the overall achievement of the business objectives.
  • Resources and operational capability are another area of concern for boards; they usually seek to have just enough resources available to meet planned activities and, when considering new initiatives, one of their areas of worry will always be the availability of resources and the extent to which a new initiative might divert people away from what they are currently doing.

About once a year, and usually whenever presented with a new strategic initiative, boards will review their corporate vision, mission, values and strategic priorities. It is often simpler to reject a new proposal than to change any of those core components of the corporate identity.

You’ll note that information security does not appear on this list.

You are going to have to become familiar and comfortable with the concepts in this chapter if you are to engage successfully with the board on the topic of information security. You will have to become adept at couching information security proposals, to focus on their measurable benefits in improving the top and/or bottom line, measuring risk, advancing corporate objectives, or meeting compliance requirements.