I am increasingly having to present to our board and it’s not always the best experience. Do you have any advice on how best to approach a company board that is not technical at all?
Sort by:
I suggest taking a human approach to this aspect—set up lunch/side meetings and conversations with a few members a week before the meeting and prepare them. Each BoD member has an agenda, and it is not necessarily the same. This will allow you to be more comfortable in the room and also have others to back you up/manage the conversation during tough times. Hope it helps. If you want to practice, feel free to ping :)
When delivering your report as a business-minded Chief Information Security Officer (CISO), it is crucial to recognize that executives are primarily interested in security matters when the message is conveyed in business terms and through compelling narratives. Therefore, it is advisable to minimize technical details and numerical data within your presentation. Instead, focus on clearly articulating the current state of primary risks and the desired target risk level. Subsequently, outline the proposed approach to achieving this target. This explanation should emphasize resource requirements (budgetary allocations and other necessary resources) without delving into technical specifications. Furthermore, utilize financial figures rather than qualitative assessments to represent data whenever possible.
Andrea, I fully concur with your thoughts. I also find strategic alignment with the Chief Risk Officer helps further strengthen the narrative
I agree. A risk-based approach is of significant importance in this context.
Hi there - I read Ingrid's response and echo her recommendations. A business partner who interfaces with the board will help you prepare a high-level presentation that provides the information the board wants and needs. If you feel your experience hasn't been as positive, would a business partner be willing to give you feedback from their perspective?
You may want to consider, if appropriate in your environment, asking a board member for feedback on your messaging and whether they would make recommendations to ensure your messages are on target.
To append my feedback, based on the 2024 IIA Global Conference, one session covered your question with an anecdote. When communicating to the board, the speaker's focus was on risk impact (e.g., reputation risk, business interruption). These other topics, while briefly mentioned, took a back seat: a) controls, b) weaknesses in controls, c) risk events, d) requests (e.g., funding).
That's a highly valuable insight, thanks for sharing!
My approach in this type of scenario is to generally provide the 30,000 ft. view and include the 1 or 2 most important (to the board) supporting data points. It’s rare that I include technical details in the presentation. I will almost always have all support data and technical information documented in the appendix (of a PowerPoint presentation) for reference.
Additionally, over planning has helped me. Knowing the presentation and data inside and out helps me to be flexible and pivot if necessary.