With the right ingredients, you can nail your board presentation every time. Check out these recommendations from seasoned Fortune 1000 CISOS.
Presenting to the board can seem like the most daunting task to CISOs - but it doesn't have to be. It's as much about the preparation as it is having the right ingredients. A new report by the Executive Security Action Forum - an RSA Conference community of security executives from Fortune 1000 companies - aims to help CISOS improve their board presentations.
Titled "What Top CISOs include in updates to the board," the 34-page report shares insights on topics such as how to best structure board presentations and what topics to cover. The ideas come from eight unidentified CISOs working in seven different industries that the Executive Security Action Forum interviewed for the report.
Although there's no standard template or framework for how CISOs should present to the board, the report provides the following tips and insights to help make your board presentation a success.
Five topics CISOs include in their updates to the board
The interviewed CISOs all touched on these five topic areas when briefing their respective boards:
- Changes to the risk landscape, generally focusing on threats, while also covering regulations and contractual obligations
- Priority risks, zeroing in on the cyber risks and/or risk factors considered the highest priority
- Maturity score, calculating an overall score that reflects the company's security maturity and/or security posture
- Security initiatives, addressing the progress of specific security initiatives
- Security incidents, highlighting significant security incidents that affected the company
How CISOS organize their updates
Generally, how CISOS organize their updates varies by the type of content being presented and can be broken down into three main areas:
- Frequency: How often CISOs update the board. The report found that most CISOs typically update the full board once a year and a board committee quarterly - with board committee updates generally being longer and more detailed. For example, a CISO may have 30 minutes with the board committee and only 20 minutes with the full board.
- Format: How CISOs choose to present the materials to the board. The format of an update is usually a brief summary with an appendix. For example, CISOs may provide the board with a three-page summary that has a 30-page appendix including details and metrics. Other formats may include a presentation/memo or a pre-read.
- Flow of topics: How CISOs choose to order their topics. Some CISOs may choose to start with the status of the security roadmap while others may start with external issues, such as changes to the threat landscape. Additionally, topics that are covered may vary for an individual CISO. For example, certain topics may not be covered every quarter but rather annually or semi-annually such as a "board education item" that's on the agenda twice a year. Or, topics may change to reflect recent event in the year such as the completion of a project or an incident at a third party. Although the flow of topics may change overtime, most CISOs view updating the board as an ongoing conversation.
(Source: RSA Conference's “What Top CISOs Include in Updates to the Board" report, October 2022)
How CISOS convey risks
CISOs play a critical role in keeping the board updated on how their organization is managing risks. When it comes to the board's objectives for understanding how cyber risks are being managed at their organization, the board's objective include:
- Ensure risks are managed with due care. This is considered to be the fiduciary responsibility of boards. Additionally, CISOs must be sure to quantify risks in financial terms in their updates to the board.
- Demonstrate they have been providing oversight. It's imperative that the board knows and fully understands the gaps and are able to show they were privy to all the details and not just receiving top-level reporting.
- Hold the CEO and executive leadership at the company accountable for managing risk and conveying risk legal defensibility. For example, if an incident occurs, there is the potential for legal action against board members. Therefore, it's critical that board members are able to put themselves in a defensible position. They can do this by showing that they were adequately overseeing cyber risk management, including ensuring that risks were being addressed and prioritized in a reasonable way.
When it comes to communicating aspects of risk management to the board, CISOs typically address this area from multiple angles to show that cyber risks are being:
- Monitored, by providing data on elements like new attack vectors, threat actors, vulnerabilities and regulations
- Analyzed and prioritized, by listing top risks, or breaking out risks by market or product areas
- Mitigated and reduced, by including metrics, security controls, plan roadmaps, gaps and costs
- Included in overall enterprise risks management, by explaining how cyber risks compare with the organization's other risks
(Source: RSA Conference's “What Top CISOs Include in Updates to the Board" report, October 2022)
Learn more
For more information, you can request a copy of the full report or watch this on demand webinar.
To delve deeper into this topic, check out these articles and videos:
Articles
- “CxOs Need Help Educating Their Boards” (Cloud Security Alliance)
- “7 mistakes CISOs make when presenting to the board” (CSO Magazine)
- “3 Tips for a Successful CISO Board Presentation” (Fair Institute)
Videos
- “Deliver Your Board Message with Context and Confidence” (SC Magazine)
- “Highlights from CISO Series Video Chat: ‘Hacking the Boardroom Meeting’” (CISO Series video)
- “How to be an effective CISO by being an effective communicator” (Dr. Eric Cole)