Struggling with board presentations? Here are tips tailormade for CISOs

Effectively articulating your cybersecurity posture to your board is a critical skill. Your presentations drive vital conversations and decisions about risk, resources, investments and more. And it’s not only your organization that benefits. When the data you share consistently resonates, it elevates your role, boosting your odds of increased budgets and team capacity.

But sharing information with the board or executive leadership is an area where many cyber leaders lack confidence. In fact, the CISOs we talked to at our recent RSA conference cited board reporting as their top concern.

We've developed a four-part blog series to help, with practical tips and real-world best practices for articulating your organization’s security posture and elevating your leadership role.

The first blog of the series focused on strategy: flagging top risks, putting a strategic framework and plan in place and measuring the right things. Here, in part two, we get into the nuts and bolts of sharing this strategy with your board or executive leadership — from the metrics that ground your presentation to a storyboard that spans the organization, surfaces the most important details and makes it all easy to grasp.

Here’s our three-step guide.

1. Cover the top board concerns

Cybersecurity is a vast and ever-evolving subject. Yet among the many topics your presentation could cover, only a small minority will be relevant to your board at any given time.

Avoid the risk of tangents and rabbit holes by focusing in on the following four questions:

• What are the threats, or things that could cause loss?
• What are the assets, or the things that are valuable to your organization?
• In what ways are your people, processes and technologies vulnerable?
• How might all of these things financially cost your organization? Think beyond fines to things like system availability, business or operational continuity and the reputational damage of breached customer data.

Consider your answers a solid starting point for the next step: your presentation agenda.

Any immediate threats, breaches and attacks will of course take center stage. Beyond this, however, your board will also want updates in a variety of evergreen areas, such as:

• How your certifications, controls and compliance reports map out against regulatory frameworks like SOX, HIPAA, FedRAMP, SOC 2 and so on — an important topic as proxy season rolls around
• The status of monitoring, testing and training across critical areas of the organization — especially any vulnerabilities or gaps that need to be addressed
• Key customer concerns, like data and privacy — and how the organization is addressing those concerns

2. Guide your board to what they need to know and decide

Once you've discussed your organization's current risk posture and any immediate threats you're facing, it's time to help your board or executive leadership team understand what you need from them to move forward. Now you can narrow your focus even more to pressing decisions and specific actions. For example:

• Are there any new measures your organization should take in terms of data access, security technologies or physical security methods?
• Should cyber-related operations like public relations strategies or investments like cyber insurance be revisited or updated?
• Does the board itself need to up its own cyber expertise with training, outside speakers or even a new board member or two?

When talking about risks and vulnerabilities, focus in on those most material to the organization. Which are most likely to happen and most potentially impactful in terms of the bottom line? When sharing specific facts and figures, do so sparingly and selectively. If a metric isn’t enabling organizational decisions or influencing behavior, don’t waste your — or your board’s — time on it. During a packed board/executive leadership meeting, every minute counts.

This being said, don’t be shy about sharing your opinions, even as you whittle your presentation down to the most salient and urgent points. Your perspectives on risk, strategy, opportunities and the future are why the leadership team invited you in to speak in the first place.

3. Make your findings a quick read

Cybersecurity metrics are highly granular, specific and plentiful. Risk assessments inherently involve highly complex activities like factor analyses and probabilistic modeling.

Yet busy boards generally lack the time, and the background, to delve into these technicalities. Furthermore, overly complex graphs, reports and jargon may cause listeners to drift off just when you need their attention.

Here’s where digital presentation tools are your secret weapon. Examples include:

• Data visualizations that deliver trends and context at a glance
• Dashboards that bring metrics and KPIs together into a unified view
• Risk scorecards that show your organization’s security status against competitors and industry benchmarks

When using these tools, strive for real-time data when possible, and reference a specific framework in your presentation if appropriate. Many CISOs use the NIST Cybersecurity Framework because it distills cyber complexities into one straightforward proposition: What are our capabilities before, during and after a cyberattack?

Finally, remember that communications with the board and executive leadership are a two-way street. Be prepared to answer questions like:

• What are the security risks of a potential new product, service or acquisition?
• How is your team measuring threats and vulnerabilities across your supply chain?
• What new cyberthreats and developments are on the horizon?

Your knowledgeable answers — in tandem with a streamlined, user-friendly, ROI-focused presentation — will further your department’s cause even more in elevating cybersecurity as a priority, and yourself as a trusted advisor to the executive leadership.

With these presentation tips and a solid cybersecurity strategy in hand, you’re ready for part 3 of this blog series: your evolving role as an organizational leader.