Don't let your board presentation miss the mark. Follow these best practices and common mistakes to avoid when communicating cybersecurity risk to the board.
Written by Mary K. Pratt — Contributing writer, CSO
Cybersecurity is a top concern for boards of directors.
In fact, 42% of the nearly 500 leaders surveyed by the National Association of Corporate Directors listed cybersecurity risks as one of the five most pressing concerns they’re facing — just behind changes in the regulatory climate and an economic slowdown.
As a result, security executives are increasingly going before boards to brief them on the risks they face and strategies to mitigate them.
[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting cybersecurity to the board. | Sign up for CSO newsletters. ]
“More boards are saying, ‘Talk to us, tell us what we need to know,’” says Gary Hayslip, CISO of internet security company Webroot and a veteran board member.
0 of 30 secondsVolume 0%
Yet, many board members find that they’re not getting the information they need from their chief information security officers.
“Board members are talking about cyber risk, and risk and audit committees are spending a lot of time grilling the CISOs, and they’re generally dissatisfied with the experience,” says David Chinn, a senior partner with management consulting firm McKinsey & Co.
There are steps that CISOs can take to avoid such negative reviews. Here, several experienced leaders share their advice for presenting to the board:
Nominations are open for the 2024 Best Places to Work in IT
1. Do more prep work
Executives are expected to prepare written reports for distribution to board members in the weeks ahead of presenting to the board in person. Some think that advance work is enough, but experienced executives and leadership advisors say CISOs (especially those with limited time before boards) need to do more focused prep work or even receive specific training.
As threats rise, businesses can only withstand cyber attacks with a security strategy that adopts the right technology and services – and breaks down silos.
Before Hayslip presented to a new board for the first time, he asked his CFO to connect him with a director who would be willing to help him prepare for his presentation. “If I’m going to report to the board and I have never spoken to them before, I don’t want to come into that boardroom cold. I don’t know what kind of questions they’ll ask. I don’t know what they want to know. So I’ll talk to my peers, ask other executives who report to the board and get their feedback — who is there, what are they like, what questions they ask — so I’ll know who I’m going to talk to and how they like to have data presented,” he says.
2. Offer an assessment
Hayslip says that prep work along with his subsequent experiences presenting to boards has taught him something about what directors want to know — that is, an assessment of the company’s cybersecurity posture and how it needs to improve.
“Tell them where you are and where you need to be. And every time you come in, you share information about new risks and new opportunities to improve, building on the information presented in the prior [presentation],” he says. “Tell them, this is where we’re at, here’s where we’re immature and where the risks are, and from a threat profile this is what we should be prioritizing and why ... and where we stand against competitors.”
3. Be transparent
Assessments shouldn’t obfuscate the risks to the enterprise, experts say, so CISOs should be upfront and present relevant information in a straightforward, accessible manner.
“Many organizations have a threat intelligence department, and they’re packaging up that information for the board so board members feel like they’re in the know,” says Chinn. “Board members want to know the enterprise risk, the business impact of that risk, to what extent their investments have turned into controls and whether it yielded a meaningful reduction in risk.”
He cites as a strong example of how to offer such information one organization where the CISO implemented a self-service application that board members could use to access that information on demand.
4. Anticipate the (tricky) questions
The boardroom is no place for surprises. So Rob Clyde, chair of the board of directors with IT governance association ISACA, advises CISOs to anticipate the questions they’ll get from board members — particularly the questions that are most difficult to answer, such as “How good is our security?” and “Are we safe?”
CISOs often struggle to appropriately answer those types of questions and as a result tend to provide inadequate or confusing responses when answering on the fly, Clyde says.
He advises CISOs to think ahead and develop go-to responses. He also recommends CISOs use a cybersecurity maturity framework, such as the one offered by ISACA’s CMMI Institute, to offer an articulate, insightful response to those tricky questions.
Similarly, he says CISOs shouldn’t surprise the board, other executives and the CEO with their responses to such questions. Clyde says CISOs should share their responses to the anticipated questions with their CEOs; in fact, CISOs should be sure that their CEOs are briefed on any information they’ll present so they’re not putting their CEOs in any awkward situations.
5. Be honest about limits
On a related note, experienced executives says CISOs should be realistic when responding to questions about organizational risk and cybersecurity posture — even if they fear their responses might make them look ineffective. “Some boards will ask, ‘Are we 100 percent secure?’ You should never answer in the affirmative or answer it inaccurately by giving unfounded assurances,” Clyde says.
6. But don’t scare the board either
CISOs see the growing volume and increasing sophistication of cybersecurity attacks, so it’s not surprising they seek to share such information with their boards while explaining the resources they need to counteract all those threats.
“You have some CISOs who go in and list all the bad things that are happening and make it seem like the sky is falling,” Hayslip says, “but that [climate of] fear, uncertainly and doubt doesn’t really work for the board, and a CISO might get away with it once but all he’s going to do is tick off the board if he does it again.”
Boards certainly want data, he says, but they want that information in ways that allow them to make informed decisions about where to best place their security investments to mitigate their greatest risks.
7. Get a champion
James Carder, CISO of security solutions company LogRhythm, cultivated a relationship with a board member who had a technical background and sought him out as a mentor who could help him prepare for board meetings, review material being submitted to the board, and advocate for security strategies on his behalf.
He advises other CISOs to do the same.
“Get a champion on the board. They’ll give you feedback before you present to the board, [advising on] what words are important and what will resonate with the rest of the members. And that champion can have the conversations on security with the board when you’re not there and drive the changes you want,” Carder says.
8. Get to the point
CISOs are used to presentations at conferences where there’s a buildup to the main point, but that kind of approach doesn’t work well for boards that put a premium on time.
“Don’t hold the punchline. Get to the point right from the start. The board wants to know up front why you’re there,” Clyde says. “And if there’s something the board needs to take action on — for example, they need to consider buying cybersecurity insurance or figure out a policy on whether to pay ransom if there’s a ransomware attack — identify that and identify that right up front.”
He says CISOs can provide supporting information as time allows, realizing that the board members can access any needed information in the written material submitted in advance of the meeting.
9. Skip the tech talk
Carder says he once over-communicated his security work to the board, a mistake he knew he made when board members repeatedly had to stop his presentation to ask about the terms he was using used and concepts he was describing.
“I assumed they knew certain security tech terminology,” he says, “and then I realized that I was over-communicating all these details vs. being concise and communicating the risks.”
Carder is now more conscious of leaving deeply technical information out of his presentation; there are no details about the latest exploits or the newest data loss prevention technologies or choice SIEM vendors or intrusion detection products. Instead, he focuses the conversation on high-level points around security and presents the information in plain business terms.
10. Present the business value
Many CISOs have trouble calculating the business ROI of their security investments, yet what boards want to know is the business impact of their security risks and investments.
That’s what Hayslip aims to deliver. “I show how my programs impact teams that make money; it’s showing how we’re helping them do what they do,” he says.
He once worked at a company that had some 50 machines taken offline each month due to malware, so he invested in technologies to reduce that monthly average. When he went before the board, Hayslip didn’t focus on the cost of the new technologies but rather in the value that investment brought to the organization through lower remediation costs and reduced downtime.
“That’s the kind of value story you have to talk about, plus the fact you’re reducing risk,” he says.
11. Determine measures of success
CISOs should reflect on whether they’re adequately conveying information to their boards, knowing that how well they’re communicating the business impacts of their security strategies correlates with how much support and funding they’ll get for their security strategy, Chinn says.
Chinn knows one CISO who judged his success in this area by how his board members react when corporate data breaches make the news.
“He says he knows he’s doing a good job informing the board when board members ask intelligent questions or no questions at all after news of a breach, because it shows they trust him as CISO,” Chinn says.
12. Capitalize on the opportunity
CISOs should present to the full board, Clyde says, noting that many CISOs present not to the full boards of directors but to audit and risk committees. And they should take the initiative to get on their boards’ agendas if they’re not already.
Moreover, CISOs should see their time in front of boards as opportunities to evangelize on the importance of a strong cybersecurity program as well as to educate on the strengths, gaps and strategies of the organization’s cybersecurity function. ISACA recommends that CISOs meet with their boards at least once a year, Clyde says.
“It’s about building up trust,” Hayslip says. “The board can see you’re getting things done, and they know not only that you know your job but that you understand the business, and you’re aligning your security program to support that.”