CISO NextCybersecurity

Don’t Bore the Board: 5 CISO Hacks for Highly Effective Presentations

Andrew Retrum
May 3, 2021
5 min read

Several years ago, we invited board members to speak candidly about presentations from company executives. Those free-flowing conversation more than lived up to what was billed as a “Don’t Bore the Board” panel discussion. The panel members’ engaging insights remain instructive to CISOs today as security leaders strive to hone their increasingly important board presentation approaches.

One corporate director confided that he paid less attention to the technical aspects of the CISO’s presentation, and instead scrutinized his CISO’s demeanor during presentations to obtain a gut-feel sense of the CISO’s confidence in his own ability to manage security risks. Another board member stressed that she focused nearly all her attention during CISO presentations on the information pertaining to the security budget.

As these forthright comments accumulated, it became clear that developing an understanding of the unique personality traits of individual directors, and the board as a whole, marked a crucial determinant of board-presentation success.

There is an increasing requirement for CISOs to engage in meaningful conversations with the board. Given the high-profile breaches in the news month after month, and the acknowledgement of most organizations that cyber risks are a key enterprise risk to be managed, there is no absence of interest or attention. CISOs must leverage these opportunities to provide transparency on the current state of security with their organization, as well as communicate budget, staffing and key decisions that will impact the direction going forward.

One of the most effective ways to improve board presentations is by discussing what works and what doesn’t with fellow C-suite presenters. CFOs, CIOs, chief risk officers and chief audit executives will have discerning observations about the board’s preferences regarding reports, slide decks, follow-up protocols and more. It can also be highly effective to present with a peer on occasion. We’ve seen CISOs and compliance officers speak to the board together to paint a vivid picture of cybersecurity, providing complementary perspectives that show collaboration on the topic. We’ve also joined CISOs during board presentations – providing external insights on industry cybersecurity risks and sharing relevant benchmarks. These approaches often result in a more conversational discussion, which enables the board to understand and actively engage in the conversation.

While each CISO has their own style and approach to communicating with the board, here are some common elements we observe from those that do so well:

  1. Know the audience: Each board has a unique personality. Its identifying characteristics relate to how the members consume and process information – and may consist of wanting comprehensive supporting details, avoiding technical descriptions and jargon, not wanting detailed supporting evidence, or even adhering to a hard limit on the number of slides included in a deck. To help ensure that communication styles are in harmony, determine if there are security savvy board members, monitor when new members join the board and learn how subcommittees are structured to facilitate consistent reporting across related governance areas (e.g., risk and audit committees). Whenever possible, spend one-on-one time with directors, and especially committee members, during breaks, meals and informal interactions. Those chats provide a chance to solicit candid feedback and should enrich your knowledge of their backgrounds and preferences.
  2. Understand the broader context and speak in business terms: Many CISOs understandably struggle to frame their discussions in business terms. It’s natural to lean on the technical aspects of information security when discussing risks in a high-pressure setting. To avoid the pitfall of venturing too far down the technical path, prepare for presentations by addressing a list of business questions first and then considering how those dynamics affect cybersecurity: Is business performance up or down? How is information security affected by current business performance? How does security relate to key business initiatives?
  3. Be consistent: Consistent presentation formats over time allow the board members to focus on the information being shared, as opposed to investing time to understand the format and structure of that information. Consistency helps directors compare and contrast the most important trends and metrics over time. Common elements of most board presentations include:
    • Introduction and key themes
    • Progress toward “target state” security maturity (or tracking of the security roadmap)
    • Top risks, with relevant key risk indicators (KRIs) and metrics
    • Emerging risks and industry trends
    • Incidents and other notable events
    • Open discussion
  4. Select the right metrics: This is another pivotal board reporting component that’s ripe for misjudgment. Bypass overly technical and activity-centered measures (e.g., we created 1,200 accounts per month to support our access provisioning process) in favor of metrics that illustrate your performance in managing the company’s most relevant data security risks. (A side note: Protiviti’s Cyber Risk Quantification (CRQ) methodology provides insights for metric quantification.) If ransomware concerns are a top security concern, find KRIs that assess those threats. If malicious insider activity is a key risk, find metrics that reflect your organization’s progress in alleviating that problem. Keep in mind the powerful nature of industry spending benchmarks.
  5. Get in front of incidents: While more board members recognize the inevitable nature of security breaches, CISOs should tactfully discuss breaches to continually familiarize the board with the risk as well as incident response strategies and procedures. Discuss recent public breaches and explain how a similar attack would be managed within your organization. Highlight the range of potential outcomes of an event and how the organization would take steps to minimize the impact. Also, consider talking about near misses within the organization – a sensitive topic, but one that can deliver an eye-opening educational experience to board members.

Above all, CISOs should put themselves in the minds of their board members: What do they want to know and learn when they’re listening to me? Corporate directors want useful information that helps them fulfill their fiduciary responsibility to provide governance and oversight of the organization. The CISO should be well-prepared to meet these expectations with insightful, relevant communications that the board will value.

To learn more about our CISO Next initiative, contact us.

Andrew Retrum

Managing Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
8 Apr

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Reply on Twitter 1777336025301254502 Retweet on Twitter 1777336025301254502 Like on Twitter 1777336025301254502 Twitter 1777336025301254502
protivititech Protiviti Technology @protivititech ·
5 Apr

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Reply on Twitter 1776309432592330940 Retweet on Twitter 1776309432592330940 1 Like on Twitter 1776309432592330940 4 Twitter 1776309432592330940
protivititech Protiviti Technology @protivititech ·
5 Apr

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Reply on Twitter 1776249003769803111 Retweet on Twitter 1776249003769803111 Like on Twitter 1776249003769803111 Twitter 1776249003769803111
protivititech Protiviti Technology @protivititech ·
1 Apr

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

Reply on Twitter 1774769203540566390 Retweet on Twitter 1774769203540566390 Like on Twitter 1774769203540566390 Twitter 1774769203540566390
protivititech Protiviti Technology @protivititech ·
29 Mar

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Reply on Twitter 1773772540306919718 Retweet on Twitter 1773772540306919718 Like on Twitter 1773772540306919718 1 Twitter 1773772540306919718
Load More