5 Mistakes CISOs Make in Their Board Presentations

November 3, 2020 | 13 min read | Cybersecurity Strategy, Security Posture

As a cybersecurity leader, you generally receive only a short time window in the board meeting for your update. During this time, you need to communicate key risks and remediation tactics, explain your strategic goals and plan, and answer questions; all with a largely non-technical audience. This can be quite challenging. Your presentation needs to be crisp, engaging, and informative, and you can’t afford to make any mistakes.

Now, it’s natural to assume that CISOs across organizations of various industries and sizes will have their own unique sets of challenges while presenting to their boards. However, when we polled experienced board members and CISOs, we found that cybersecurity executives across a broad set of companies make many of the same mistakes.

Before we delve into these common mistakes that CISOs make while presenting to the board, it is instructive to understand what your board members care about.

What your board cares about

Your board primarily cares about 3 things:

  1. Revenue growth and other non-revenue objectives related to your company’s mission statement
  2. Current and future expenses
  3. Threats to future revenue and the overall value of the business

In the cybersecurity update, your board members are looking for an assessment of the company’s overall cybersecurity posture and the risk to the business. They are also looking for assurance that your team is managing information risk effectively, by making the right tradeoffs between costs and risk.

Here are 5 common errors in board reporting and how to avoid them.

#1. Not speaking the board’s language

Remember, your board members’ perspective of cybersecurity is different from that of your security and IT colleagues. The board views security as a set of risk items that need to be accepted, managed, or mitigated depending on the expected impact to the business. You must develop a good understanding of your board members’ risk appetite and your presentation must speak about risk in metrics relevant to the board, i.e., in money terms.

Boards want to know the business impact of the security risks and investments. Therefore, instead of focusing on the technical details and costs of new technologies, demonstrate the value that the cybersecurity investment has brought to the organization through lower risk.

Risk Snapshot & Trends
Risk Snapshot & Trend

#2. Not presenting an accurate picture of your risk

With a massive and rapidly growing attack surface, your team has its hands full with the challenges of understanding and improving cybersecurity posture. If you present to the board without acknowledging this reality, you will not gain the trust of your directors.

“According to a recent Governance Outlook from the National Association of Corporate Directors (NACD), 82% of board members are secure in their management’s ability to address known risks, but only 19% have the same confidence about atypical, disruptive risks.”

The three essential prerequisites for getting a complete picture of your risk are:

  1. Accurate up-to-date inventory of assets that need to be protected
  2. Understanding of the business value of these assets
  3. Continuous analysis of these assets for cyber-risk across all relevant attack vectors

Your board members will know when you do not have this information. Once you have this information , you will be able to define risk areas appropriate for your business and then map your vulnerabilities to these areas.

For example, one such risk area can be “intellectual property”, and when you analyze, prioritize and remediate vulnerable assets that contain intellectual property, your reporting to the board will be based on the actual, on-network ground truth.

#3. Not being able to quantify your security posture

As a CISO, it may seem impossible to explain and report the importance and workings of the organization’s cyber-risk program to an audience that views cybersecurity as a difficult technical topic. As a result, many board and C-Suite decisions related to security are made with gut feelings and with insufficient data.

You can overcome this obstacle by presenting risk in units of money. Board members may not understand what a “high risk score of 90” or a “target patching cadence of 22 days” means, but they certainly understand the implication of “$8M of risk due to unpatched software”.

To quantify cybersecurity posture for your board, identify key areas of the business at risk in money terms and help them understand how your cybersecurity program is aligned to mitigating this risk.

Risk by Business and Attack Type
Risk by Business and Attack Type

Also, remember, at the board-level it is a lot about benchmarks, so you must be able to compare your cybersecurity posture and breach risk against similar organizations. Your board will look to you to recommend the appropriate level of acceptable risk your organization should aim for. In addition to this, you must have internal benchmarking data in your back pocket– what risk owners are doing their job, and which ones are laggard on security. .

#4. Presenting too much information

You see the growing volume and increasing sophistication of cybersecurity attacks, so it’s not surprising that you seek to share detailed information with the board, while explaining the resources you need to counteract all those threats. Boards certainly want to make their decisions informed by data – However, the risk of presenting too much data is that you drown them in too much data and they lose the main point you are trying to drive.

Your best bet is to tell a compelling and simple story. It is more important to be interesting than to be complete! In your presentation, balance facts with insights. Instead of just reciting results or data, provide an analysis. Explain why something happened and what the ramifications are. Tell them where you are and where you need to be from a cybersecurity posture perspective. Share information about new risks and new opportunities to improve (building on what you presented in the prior meeting).

Risk Detail Highlights
Risk Detail Highlights

#5. Not having an operational plan

Your board presentation must be backed by a strategic plan detailing how your initiatives and programs will change the cybersecurity posture and achieve the appropriate level of residual risk. . Your plan needs to be presented as an easily digestible, high-level list of initiatives or projects, each with corresponding time frames, required resources and a dollar cost.

Furthermore, given that the board will expect you to drive and execute the plan, you must qualify all the responsible stakeholders involved. Make sure that your board understands that the 1st line of defense for cyber-risks are the risk owners in IT and in the business, and not the infosec team. During the next cybersecurity review with the board, quantifiable improvements that show the risk reduction outcomes your organization has achieved over time should be highlighted.

Info Sec Operational plan
Sample CISO Operational Plan for Information Security

One final tip for a successful board presentation

Before you start on your next board presentation, take a step back and think about what it is that your board of directors really want to know and then align your discussion of risk with the company’s strategic goals. You must decide how you want the board to feel as a result of their status presentation, and then select the data to back up the emotional arc of the story.

Are you presenting good or bad news? Do you want the board to feel happy about the progress Infosec is making? Or is this bad news because you don’t have funding for everything that absolutely needs to be done?

How happy do you want them to feel? Excited because cybersecurity posture is indeed better? Mildly concerned that some risks are manifesting but you have them under control? Or deeply concerned because there are “someone might go to jail-level” security holes?

Focusing your presentation to answer these questions is the key to a successful presentation.

Balbix Dashboard

Get a comprehensive picture of your security posture

Balbix can help you get a single, comprehensive, and up-to-date picture of your cybersecurity posture.

Our AI-powered platform automates the continuous discovery of your assets, on-prem or in cloud, managed and unmanaged, and analysis of these devices across 100+ attack vectors. Balbix helps you estimate risk, likelihood, and impact scores for every area of your business and provides intuitive visualizations for your presentations to the board and C-suite colleagues. Balbix also provides prioritized fixes for improving your security posture and integrates into your vulnerability and risk management workflows. With Balbix, the board presentation that would’ve taken weeks to create can be completed in minutes.

Request a demo to learn more.

You can also download a suggested template for your board presentation here.

Related Posts

5 Steps for CISOs to Build Cyber-Resilience
6 Challenges New CISOs Face in Assessing Breach Risk
Blaming the CISO for a Cybersecurity Breach