When the request comes in to give a cybersecurity presentation to the board, security leaders should jump at the chance to educate the executives. However, a lengthy, in- depth presentation is more likely to leave the board scratching their heads than directing resources the right way.
Gartner estimates by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually.
The question is what’s the best way to get the message across without losing the audience.
By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity
“Boards are becoming increasingly interested in security and risk management; however, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” says Rob McMillan, research director. “It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.“
Ensure the presentation answers key questions about how cybersecurity can and will support the company’s main mission and business, relevant environmental factors and the extent to which material risks are being managed. Most importantly, don’t allow the presentation to get bogged down in overly technical explanations. And ensure each point is high-level enough that the board will understand it, but detailed enough to give them a true picture.
McMillan suggests a “five slides in 15 minutes” style presentation, with an intro and closing slide.
Slide 1: Get started
Slide 1 is designed to be the call to attention slide. It needs to be sparse, and simply identify the topics you’ll cover in the following slides. No details are necessary, but it should signal that the presentation will include information about business execution, strategy, external developments and risk position. It’s high level, and sets the scene for the board.
Slides 2 – 6: Performance and contribution to business execution
It can be difficult for CISOs to demonstrate how security contributes to business performance. However, when presenting to the board, it is key to link (implicitly or explicitly) security and risk to business elements that the board members value.
Whatever version of these slides makes sense for your enterprise will enable you to highlight metrics and how the security team is contributing to the positive outcome. However, you should also be prepared to explain potential problem areas and their implications. Bring more detailed documentation on how each metric was produced for any board member who asks.
Slides 3 through 6 should discuss how external events will affect security, an assessment of the existing risk position (this can change depending on acquisitions and other events) and the entire security strategy.
Slide 7: The call to action
Finally, wrap up the presentation with a closing slide to reiterate the main points and any action items. The key is to close strongly, leaving the board confident in your plan and abilities. Summarize the points you’ve made, and be clear about anything you have requested. This is a good time to take questions, and thank the board for their time.
This article has been updated from the original, published on May 29, 2017, to reflect new events, conditions or research.