Presenting IT & OT Cyber-security Strategy to Executives / Board of Directors

Table of Contents

• Before the Presentation

• Presentation (Content Preparation-to-Delivery)

  • The Story line

  • Presentation Content

  • Taking Inspiration from different experts from the …

  • Presentation Delivery:

• Takeaways:

Continuing from one of the previous newsletter posts titled - Digital Transformation & Cybersecurity Premier (an introduction) and IT & OT/ICS Cybersecurity Strategy that talks about drafting an integrated IT and OT/ICS Cybersecurity strategy or independent ones. In case you've missed them - highly recommend reading them first before reading this edition of newsletter.

So let's get started.

Now that we've laid out high level steps of #digitaltransformation and #cybersecurity #strategy journey and then have finished drafting/developing the cybersecurity strategy (phase 1 in strategy life-cycle), the next step is preparing and presenting the cybersecurity strategy to business executives and or to the board of directors to get their buy-in and approval for funding, executive commitment and resources required to executive the strategy (which is phase 2 in the strategy cycle).

This is probably one of the most daunting and difficult task for many, specially for people with technical skills and no management background or business skills, and many struggle to get the message across and don't get the right level of support or funding from business leaders/executives. One would need to remove their technical hats and put on their business hats, to simplify the messaging around cyber risks equation, focus on risks and consequences that their organization is potentially exposed to.

On daily basis, the business executives and board of directors are ensuring that they are taking the right decisions to move the business forward by managing varying types of risks (financial, reputation, legal, environmental, ESG, operational, etc.) that their business operations need addressing, so that their investments decisions are prioritized.

Before the Presentation

Research the executive audience you'll be presenting to (what they like to discuss/interests, persona types etc.). If you personally know them you may have an advantage (but in some cases, it’s likely that you don't interact them on daily basis), if you don’t; do ask people around that have given presentations and take into account their feedback on what works and what may not work.

Presentation (Content Preparation-to-Delivery)

The Story line

Make it sound like you are taking them on a short, precise, quick journey where you are projecting the current state of affairs, what's your recommended target state looks like and what would it take the business to achieve the target state - i.e. a managed risk state.

Presentation Content

Below highlights an example Agenda:

Agenda/Presentation Title - choose a catchy agenda title that could draw attention (that something important is coming) - and may resonate with business vision and or business priority goals. E.g.:

• Global Cyber-security Strategy (2023-2026) or

• IT & OT/ICS Cyber-security Strategy & Program Road-map - A structured risk reduction approach.

Note: choose your own environment and best scenario specific titles.

note:

• Brand Name/Products/Services could be replaced by your specific business elements e.g. X Food & X Beverages brand or product names / services - anything that's business specific.

• depending upon the executive leadership style, some would prefer the asks i.e. item 4 in above picture to be put in front earlier in the presentation, before you talk about 2 and 3. Therefore, adjust accordingly).

Ensure you understand the current business climate and situation and if its the right time to ask in the first place. Budget submission period is perfect but you need to spread the awareness among peers and other parts of business well in advance to get a buy-in in time for the budget.

Be as specific and precise as possible on the asks from the executives (e.g., resource requirements, staff involvement, approvals and funding etc.).

Taking Inspiration from different experts from the field

Its great to learn from experts that share some wonderful techniques on how they are moving ahead with their plans, what hurdles they face and how they've overcome them including ideas on what to present and what not to cover.

Below are a list of few of many such great video presentations for reference:

1. A case study master class on Reporting Cyber Risk to the Board by Omar Khwaja - YouTube (by Omar Khawaja)

2. A Practical Approach to Presenting to the Board of Directors for CIOs #GartnerSYM - (by Tina Nunno)

3. How to Present Cyber Security Risk to Senior Leadership | SANS Webcast - YouTube (by James Tarala)

4. Briefing the Board: Lessons Learned from CISOs and Directors - YouTube (by Alan Paller, John P.)

5. Risk Management & Executive Communication with Patrick Miller (by Patrick C Miller)

6. Cybersecurity Leadership - YouTube (112 videos by #sansinstitute #cybersecurityleadership series - play list) (many presenters to thank for).

Presentation Delivery:

You'll likely only have 30 mins to an hour (if you are lucky) to get your message across and get your messaging stick with executives. So prepare, do some dry runs with colleagues/team, modify adjust.

Be ready to request for another time and or shorten your presentation as it’s far too often that something urgent will come at last minute. So let’s say you should have 15 mins of speech in mind in case the original time slots shortens up.

Tips: Checkout the above example videos to get insightful tips and approaches.

Takeaways:

Executives and board care about (or tasked to do so) the following few things:

• risks (regulatory, security, brand/reputation, financial, innovation or lack thereof),

• revenue / mission and

• costs (do more with less)

• customers and shareholders.

- a secure, standardized and resilient business operations helps drive all these things towards positive direction and the presentation should touch upon the above points to emphasis benefits across these points.

Good luck for your next IT & OT (or one of them) Cybersecurity Strategy & Road-map presentation internally or to your clients/customers.

In case its time for presenting your 1st IT & OT Cybersecurity Strategy or time for an update/re-write - feel free to reach out to me via DM or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow @securingthings. It’s a great day to start “Securing:Things”. 

#securingthings #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity  #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure  #criticalinfrastructureprotection  #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security