Several years ago, we invited board members to speak candidly about presentations from company executives. Those free-flowing conversation more than lived up to what was billed as a “Don’t Bore the Board” panel discussion. The panel members’ engaging insights remain instructive to chief information security officers (CISOs) today as security leaders strive to hone their increasingly important board presentation approaches.
One corporate director confided that he paid less attention to the technical aspects of the CISO’s presentation, and instead scrutinized his CISO’s demeanor during presentations to obtain a gut-feel sense of the CISO’s confidence in his own ability to manage security risks. Another board member stressed that she focused nearly all her attention during CISO presentations on the information pertaining to the security budget.
As these forthright comments accumulated, it became clear that developing an understanding of the unique personality traits of individual directors, and the board as a whole, marked a crucial determinant of board-presentation success.
There is an increasing requirement for CISOs to engage in meaningful conversations with the board. Given the high-profile breaches in the news month after month, and the acknowledgement of most organizations that cyber risks are a key enterprise risk to be managed, there is no absence of interest or attention. CISOs must leverage these opportunities to provide transparency on the current state of security with their organization, as well as communicate budget, staffing and key decisions that will impact the direction going forward.
One of the most effective ways to improve board presentations is by discussing what works and what doesn’t with fellow C-suite presenters. CFOs, CIOs, chief risk officers and chief audit executives will have discerning observations about the board’s preferences regarding reports, slide decks, follow-up protocols and more. It can also be highly effective to present with a peer on occasion. We’ve seen CISOs and compliance officers speak to the board together to paint a vivid picture of cybersecurity, providing complementary perspectives that show collaboration on the topic. We’ve also joined CISOs during board presentations – providing external insights on industry cybersecurity risks and sharing relevant benchmarks. These approaches often result in a more conversational discussion, which enables the board to understand and actively engage in the conversation.
While each CISO has their own style and approach to communicating with the board, here are some common elements we observe from those that do so well:
- Know the audience: Each board has a unique personality. Its identifying characteristics relate to how the members consume and process information – and may consist of wanting comprehensive supporting details, avoiding technical descriptions and jargon, not wanting detailed supporting evidence, or even adhering to a hard limit on the number of slides included in a deck. To help ensure that communication styles are in harmony, determine if there are security-savvy board members, monitor when new members join the board and learn how subcommittees are structured to facilitate consistent reporting across related governance areas (e.g., risk and audit committees). Whenever possible, spend one-on-one time with directors, and especially committee members, during breaks, meals and informal interactions. Those chats provide a chance to solicit candid feedback and should enrich your knowledge of their backgrounds and preferences.
- Understand the broader context and speak in business terms: Many CISOs understandably struggle to frame their discussions in business terms. It’s natural to lean on the technical aspects of information security when discussing risks in a high-pressure setting. To avoid the pitfall of venturing too far down the technical path, prepare for presentations by addressing a list of business questions first and then considering how those dynamics affect cybersecurity: Is business performance up or down? How is information security affected by current business performance? How does security relate to key business initiatives?
- Be consistent: Consistent presentation formats over time allow the board members to focus on the information being shared, as opposed to investing time to understand the format and structure of that information. Consistency helps directors compare and contrast the most important trends and metrics over time. Common elements of most board presentations include:
- Introduction and key themes
- Progress toward “target state” security maturity (or tracking of the security road map)
- Top risks, with relevant key risk indicators (KRIs) and metrics
- Emerging risks and industry trends
- Incidents and other notable events
- Open discussion
- Select the right metrics: This is another pivotal board reporting component that’s ripe for misjudgment. Bypass overly technical and activity-centered measures (e.g., we created 1,200 accounts per month to support our access provisioning process) in favor of metrics that illustrate your performance in managing the company’s most relevant data security risks. (A side note: Protiviti’s Cyber Risk Quantification (CRQ) methodology provides insights for metric quantification.) If ransomware concerns are a top security concern, find KRIs that assess those threats. If malicious insider activity is a key risk, find metrics that reflect your organization’s progress in alleviating that problem. Keep in mind the powerful nature of industry spending benchmarks.
- Get in front of incidents: While more board members recognize the inevitable nature of security breaches, CISOs should tactfully discuss breaches to continually familiarize the board with the risk as well as incident response strategies and procedures. Discuss recent public breaches and explain how a similar attack would be managed within your organization. Highlight the range of potential outcomes of an event and how the organization would take steps to minimize the impact. Also, consider talking about near misses within the organization – a sensitive topic, but one that can deliver an eye-opening educational experience to board members.
Above all, CISOs should put themselves in the minds of their board members: What do they want to know and learn when they’re listening to me? Corporate directors want useful information that helps them fulfill their fiduciary responsibility to provide governance and oversight of the organization. The CISO should be well-prepared to meet these expectations with insightful, relevant communications that the board will value.