Don’t Bore the Board: 5 CISO Hacks for Highly Effective Presentations

0

Several years ago, we invited board members to speak candidly about presentations by company executives. These free-flowing conversations lived up to what was billed as a “Don’t Bore the Board” roundtable. The panel members’ engaging insights remain instructive for today’s CISOs as security leaders strive to refine their increasingly important board presentation approaches.

A corporate executive shared that he paid less attention to the technical aspects of the CISO presentation and instead looked at his CISO’s behavior during presentations to get a feel for the CISO’s confidence in his own ability to handle challenges. security risks. Another board member pointed out that she focuses most of her attention during CISO presentations on security budget information.

This article was written by

As this direct feedback accumulated, it became clear that developing an understanding of the unique personality traits of each director, and of the board as a whole, was a critical determinant of pitch success at the advice.

There is a growing need for CISOs to engage in meaningful conversations with the board. Given the high-profile breaches in the news month after month and the recognition by most organizations that cyber risk is a key business risk to manage, there is no lack of interest or attention. CISOs should take advantage of these opportunities to provide transparency on the current state of security within their organization, as well as communicate budget, staffing, and key decisions that will impact direction. .

One of the most effective ways to improve board presentations is to discuss what works and what doesn’t with other C-suite presenters. CFOs, CIOs, CROs and audit directors will have specific feedback on board preferences for reports, slides, follow-up protocols, and more. It can also be very effective to present with a peer on occasion. We’ve seen CISOs and compliance officers speak together on the board to paint a vivid picture of cybersecurity, offering complementary perspectives that show collaboration on the topic. We also joined CISOs during board presentations, providing external insights into industry cybersecurity risks and sharing relevant references. These approaches often result in a more conversational discussion, allowing the board to understand and actively participate in the conversation.

While every CISO has their own style and approach to communicating with the board, here are some common elements we see in those who do it so well:

  1. Know the audience: Each board has a unique personality. Its identifying characteristics relate to how members consume and process information – and may include wanting full supporting details, avoiding technical descriptions and jargon, not wanting evidence at detailed support, or even to adhere to a strict limit on the number of slides included in a set. . To ensure communication styles are aligned, determine if there are security-savvy board members, monitor when new board members join, and learn how subcommittees are structured to facilitate consistent reporting in related governance areas (eg, risk and audit committees). Whenever possible, spend one-on-one time with directors, and especially committee members, during breaks, meals and informal interactions. These chats offer a chance to solicit candid feedback and should enrich your knowledge of their backgrounds and preferences.
  2. Understand the larger context and speak in business terms: Many CISOs naturally struggle to frame their discussions in business terms. It is natural to rely on the technical aspects of information security when discussing risk in a high-pressure environment. To avoid the pitfall of venturing too far down the technical path, prepare presentations by first addressing a list of business questions, then examining how these dynamics affect cybersecurity: is business performance in rising or falling? How is information security affected by current business performance? How does security relate to key business initiatives?
  3. To be coherent: Consistent presentation formats over time allow board members to focus on the information being shared, rather than investing time in understanding the format and structure of that information. Consistency helps administrators compare and contrast the most important trends and metrics over time. Common elements of most board presentations include:
  • Introduction and key themes
  • Progress towards “target state” security maturity (or security roadmap tracking)
  • Top risks, with key risk indicators (KRIs) and relevant metrics
  • Emerging risks and industry trends
  • Incidents and other notable events
  • Open discussion
  • Select the right metrics: This is another critical element of board reporting that is ripe for misjudgment. Bypass metrics that are too technical and business-centric (for example, we created 1,200 accounts per month to support our access provisioning process) in favor of metrics that illustrate your performance in managing security risks the company’s most relevant data. (Note: Protiviti’s Cyber ​​Risk Quantification (CRQ) methodology provides information for quantifying metrics.) If ransomware issues are a top security concern, look for KRIs that assess these threats. If malicious insider activity is a key risk, look for metrics that reflect your organization’s progress in addressing this issue. Keep in mind the powerful nature of industry spend benchmarks.
  • Deal with incidents: As more board members recognize the inevitable nature of security breaches, CISOs need to tactfully discuss breaches to continually educate the board on the risk as well as policies and procedures. incident response. Discuss recent public breaches and explain how a similar attack would be handled within your organization. Highlight the range of potential outcomes of an event and how the organization would take steps to minimize the impact. Also consider talking about near misses within the organization – a sensitive topic, but one that can provide an eye-opening educational experience for board members.
  • Above all, CISOs need to put themselves in the minds of their board members: What do they want to know and learn when they listen to me? Corporate directors want useful information that helps them fulfill their fiduciary responsibility to provide governance and oversight of the organization. The CISO should be well prepared to meet these expectations with insightful and relevant communications that the board will appreciate.

    This article was written by Andrew Retrum.

    Copyright © 2022 IDG Communications, Inc.

    Share.

    Comments are closed.