Leadership Vision eBook: 2022 Top Actions for Security Leaders
When the request comes in to give a cybersecurity presentation to the board, you should jump at the chance to educate your executives. However, a lengthy, in-depth presentation is more likely to leave the board scratching their heads than directing resources the right way.
More importantly, the landscape for board reporting has changed. Some leaders report more frequently than others; some report to executive committees; some report to a cybersecurity board committee. However, in some way, shape or form, all leaders of all organizations will ultimately have to report to their executives on security risks at least once.
“Boards are becoming increasingly interested in security and risk management; however, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” says Sam Olyaei, Director Analyst at Gartner. “It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.”
Ultimate Guide: Cybersecurity
The stakes are also getting higher. Gartner estimates by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today. This means that cybersecurity risk at an enterprise level is not only a board discussion, but also a personal liability for board members. “Communication and reporting is more an art than a science,” Olyaei says. “Security leaders must be able to educate, assure, empower and inform the board within the specific period of time allotted to them.”
The ultimate question is: How do you do that? To start, remember that board members care about three things: risk, value and cost. Ask yourself which of these three things your content is hitting on.
Ensure your presentation answers key questions about how cybersecurity can and will support the company’s main mission and business, relevant environmental factors, and the extent to which material risks are being managed.
Download now: The IT Roadmap for Cybersecurity
Most importantly, don’t allow the presentation to get bogged down in overly technical explanations. Ensure each point is high-level enough that the board will understand it, but detailed enough to provide a true picture. Lastly and most importantly, make sure you are communicating your value to the business in terms of customer satisfaction, financial performance, reputational/legal perceptions and other more common business outcomes.
Olyaei suggests whittling it down to seven slides, including an intro and closing slides, that take about 15 minutes to present.
Slide 1: Get started
Slide 1 is designed to be the call-to-attention slide. It needs to be sparse and simply identify the topics you’ll cover in the following slides. It should signal that the presentation will include information about business execution, strategy, external developments and risk position, and set the scene at a high level.
Read more: 5 Security Questions Your Board Will Inevitably Ask
Slides 2 – 6: Performance and contribution to business execution
It can be difficult for CISOs to demonstrate how security impacts business performance. However, when presenting to the board, it is key to link — implicitly or explicitly — security and risk to business elements the board values.
Whatever version of these slides makes sense for your enterprise will enable you to highlight metrics and how the security team is contributing to a positive outcome. However, you should also be prepared to explain potential problem areas and their implications. Come prepared with more detailed documentation on how you produced each metric in case any board member asks.
Slides 3 through 6 should discuss how external events will affect security, an assessment of the existing risk position (this can change depending on acquisitions and other events) and the entire security strategy.
Slide 7: The call to action
Finally, wrap up the presentation with a closing slide to reiterate your main points and any action items. The key is to finish strong, leaving the board confident in your plan and abilities. This is also a good time to take questions and thank the board for their time.