4 Things Every CISO Must Include in Their Board Presentation

November 16, 2020 | 7 min read | Security Posture

For the most part, CISOs today have the attention of their board of directors. This is great! However, many cybersecurity leaders lose track of 3 important facts when it comes to presenting to the board:

  • You are presenting a complex topic to people who usually don’t have a deep technical background.
  • The goal of your presentation is to help the board meet its fiduciary duties.
  • You need to inspire the board’s trust and confidence while providing assurance that the information security function is effectively managing information risk.

Your best bet is to tell a simple, compelling story, backed by data. Here are 4 items that are essential for a successful board presentation:

1. Start with a summary of your last meeting

While this may seem like a no-brainer, you’ll be surprised to learn how many seasoned presenters overlook this key point. When you summarize the takeaways from the previous board presentation right at the outset, it serves as a quick baseline for where you need to lead the discussion. During this quick summary, be sure to follow-up on unresolved issues or any unanswered questions from the previous meeting. This is also a time to refresh the board on your security framework.

2. Present an update on events and changes in risk landscape

This is the core of your presentation where you update the board on the overall risk landscape, including any notable events. Use this section to highlight risks that require immediate action. Remember to present mitigation strategies and explain how the board can help. This section should consist of:

  • Your risk snapshot (ideally in $s) and how your breach risk is trending Q/Q. Remember the common currency that everyone understands is money. If you speak in relative terms like high, medium or low risk, your board member has no real idea if your definition of “medium” is an acceptable level of risk. When you quantify in money terms, this becomes easy.
  • A breakdown of your risk by business unit and by attack type to help the board really understand the amount of risk you are carrying.

    Risk by Business and Attack Type
    Risk by Business and Attack Type

  • Provide an analysis and interpretation of the quantitative data you presented in the previous two slides. Remember to lead with emotion when presenting these numbers since your audience will take the cue from how you present this data and interpret these numbers as good, neutral or bad. $17M of cyber risk may be completely acceptable or not depending on the size of your organization.
  • Discussion of any breaches in the news, in context of your security framework (answering the typical board question “Could this breach have happened to us?”) While breaches can never be totally avoided, showing steps that you have taken to protect against these types of attacks can go a long way in reassuring the board and earning their trust.

3. Performance against strategic infosec goals

Take the time to discuss the information security function’s maturity and progress towards your strategic objectives. Your main goal is to provide assurance that you are effectively managing your strategic roadmap and to answer questions about successes, setbacks, and changes in priorities. Your presentation should include:

  • Successful maturity improvement projects as well as projects that may be behind schedule Any setbacks, including root causes and a plan for future improvement
  • Be prepared to answer questions from the Board on the costs and benefits of achieving different levels of maturity.

Info Sec Operational plan
Sample CISO Operational Plan for Information Security

4. Any Special topics that the board needs to be aware of

Include any special topics that fall outside the scope of the other agenda topics but are worthy of board awareness and/or discussion. These could be M&A activity with significant infosec aspects, leadership changes, or compliance audit reporting.

What the board wants

Your board members want you to make the connection between information and compliance risk items and board-level business risks. They want your presentation to be centered around managing business risks that can harm the organization’s strategic objectives rather than around low-level technical details. Based on the quality of your presentation, the board will want to receive regular and adequate updates in future board meetings, or not.

Organizing your slides along the elements described above will help you assure the board that everything is going according to your strategic plan.

Our customers use Balbix routinely to generate widgets and slides for their board meetings. Please reach out to us to schedule a 20-minute demo of our platform, including the capabilities to map vulnerabilities and risk-items from the network level to the business level. You can download a customizable PowerPoint template which follows the outline described above for your next board meeting here.

Related Posts

CISO Board Presentations: 9 Key Slides You Need
3 Questions Your Board Has About Cybersecurity
5 Common Mistakes CISOs Make in their Board Presentation
5 Mistakes CISOs Make in Their Board Presentations