Top 5 Tips for Presenting about Cyber Risk to the Board

Cyber Resiliency & Ransomware September 28, 2023
BlogHeroImage

So, you work in cybersecurity, and your organization's board of directors invited you to its next meeting? You are not alone. Cyber security is the new hot topic in CISO circles these days. For many, this may be your first extended invitation. It's a big deal. Let's dive into why this new invitation is so noteworthy.

First, let's at the traditional role of a board of directors. Typically, an organization views the board as its governing body. Responsible for overall governance and oversight, the board’s practical tasks include selecting the CEO, overseeing executive compensation, and managing budgets. It’s also responsible for critical business decisions like mergers and acquisitions, expansions, etc. Generally, companies also define the board’s role as revenue, costs, and protecting the interests of shareholders and stakeholders.

What’s a better way to describe the board’s primary charter? Risk management.

In addition to business updates, board meetings focus on identifying, evaluating, responding to, and mitigating risks to prevent loss. Historically, boards prioritize financial, legal, regulatory compliance, and security risks. Innovation and brand reputation are also concerns, but a new risk has made its way to the priority list: Cyber.

Welcome Cyber Risk to the Risk List

With the ever-evolving cyber-attack landscape and imminent ransomware threat over the past few years, cybersecurity risk is now a board concern for the first time. Executives and investors are paying attention, resulting in better security awareness, change management, and larger budgets. On the flip side, this also exposes a knowledge and communication gap. What do I mean? Board members often need to be made aware of the business impact of security and cyber risk, resulting in a steep learning curve to get up to speed quickly.

Cybersecurity is becoming an increasingly important business consideration. Gartner predicts that by 70% of boards will have a cybersecurity expert represented by 2026. However, there is a current shortage of experts in this field, which means there’s most likely a knowledge gap among your board of directors.

The board's role in promoting a cyber-focused mindset and a cyber-conscious culture throughout the organization cannot be overstated. The board's oversight role is a fundamental aspect of governance, which includes defined risk-mitigation strategies, policies, and procedures.

Many boards have already approved digital investments, but might not yet see the return on investment. Let’s walk through ways to frame that conversation, present measurable results, and ensure you have the support necessary to address cyber risk.

5 Tips for a Successful Presentation

1. Educate through Storytelling

You’re communicating a complex topic to people who typically don’t have much time nor need deep, technical background. It will be more valuable to frame the story in an interesting and relatable context, than to dig into the technical details.

Your goal is to explain in layperson's terms and paint the picture in relatable ways. Stay out of the weeds. Inspire trust and confidence in yourself and your expertise. Your best bet is to tell a compelling yet straightforward story. The six-step SCIPAB structure — situation + complication + implication + position + action + benefit — is a great way to guide that story and ensure you drive home all the necessary points.

At the same time, you need to balance your story with transparency. Be open and honest with what is and isn’t working for your organization’s cybersecurity strategy. Board members want to know the business risks. Transparency is key.

Before the meeting, confirm where your board and senior leaders are focused and adapt your presentation to align. Easily connect cyber risk to the bottom line by:

  • Reviewing your governance model
  • Framing your points toward the same business outcomes
  • Connecting your metrics to the mission impact

2. Connect to Emotions

Research shows that human beings, including board members, make most decisions emotionally, then find data to back up their decisions. Conversely, CISOs often lead with lots of detailed security data, and as a result, risk being unconvincing.

It should probably go without saying, but know what is happening in the news. Every time I’ve attended a board meeting, I've been questioned about a recent cyber breach and how we are using that example to protect ourselves.

I also recommend avoiding FUD (fear, uncertainty, and doubt), which tends to be less effective with this audience. Instead, start by deciding how you want the board to feel about your message, then select the data to back up your story's emotional arc. Consider:

  • Are you presenting good or bad news?
    • Do you want the board to feel happy about the progress Infosec is making?
    • Do you have bad news because you don't have funding for everything Infosec needs to do?
  • How happy do you want them to feel?
    • Excited because the organization’s cybersecurity posture has improved.
    • Mildly concerned that some risks are manifesting, but you have them under control.
    • Deeply worried because due to "someone might go to jail-level" security holes.

3. Leverage the NIST Cybersecurity Framework

There isn’t one magical solution when it comes to cybersecurity. One of the biggest hurdles you’ll face is that the board is looking for the bottom line or quick fix. In reality, threat exposure needs to be a continuous process. There are no quick fixes. The right answer is often massive change and more money. It isn’t just about front-line security anymore.

Leveraging the NIST Framework is an excellent method to frame talking points in a clear and concise manner. These pillars help to break the complexity into more digestible parts:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

They help explain all the areas that you need to address for a comprehensive cybersecurity strategy. And they emphasize the importance of approaching threat from all five areas.

Set for publication next year, the NIST cybersecurity framework 2.0 will include added governance focus on supply-chain risk management. Organizations rely heavily on software and technology to drive operations in today's interconnected world. However, integrating multiple software components from different vendors also brings risk of cyber threats and attacks. It involves the development and testing of software plus monitoring and maintenance of its security posture. You should have governance measures to effectively address software supply-chain security.

4. Put Your Points in the Context of Risk

We’ve all been in meetings where we want to scream, “Get to the point!” Plan and prepare your presentation so this doesn’t happen to you. If this is the first time your board of directors is considering cybersecurity, you may feel like you need to provide background on how your organization got to its current state. Instead, focus on communicating present risks and the value in addressing those risks head-on.

It is always good to road-test your presentation with other senior leaders for feedback and practice. Ask if they feel you could omit specific topics or details. Move those slides into an appendix so you can jump to them during Q&A if needed.

5. Don’t Forget the Metrics You Control

You have the emotional story, the framework, the context set. Now, review your presentation with a focus on readiness and proactive steps to limit your organization’s risk. Include the security initiatives you have in-flight, your roadmap, and what improvements need to be made.

When presenting cybersecurity information to a board or executives, it's essential to focus on key metrics that provide a clear and concise view of the security posture and risk management. Here are some of the most important metrics to include:

  • Incident Overview
    • Number of incidents
    • Count by severity levels
  • Incident Response
    • Mean time to detect and respond
    • Comparison to industry standard benchmarks
  • Security Control Effectiveness
    • Number of successful and unsuccessful intrusion attempts
  • Patch Management
    • Percentage of critical systems and software patched and up-to-date
    • Time taken to apply critical patches after release
  • Vulnerability Management
    • Number of open vulnerabilities and criticality
    • Progress in addressing vulnerabilities and remediation rates
  • Security Awareness
    • Percentage of users who have completed cybersecurity training
    • Results of phishing simulations and improvements in user awareness
  • Security Investments
    • Security budget allocation
    • Upcoming investments and why third-party
  • Risk Highlights
    • Any high-risk vendors or critical supply-chain vulnerabilities
  • Recommendations and Actions
    • Prioritized steps needed to enhance security posture

Put Your Presentation into Action

You should now have all the pieces to prepare and confidently present to your board of directors. As a modern CISO or security professional, you’re responsible for all digital risk across the organization, not just IT risk. Go in with confidence. Hopefully, this is the start to an on-going conversation to drive business value and measure your protection-level outcomes.

I didn’t want to overwhelm you during your first presentation, but if you want to take the next steps, I recommend embedding compliance into your cybersecurity conversations as well. Read my recent post, “Building Cybersecurity Infrastructure for Regulatory Compliance: Essential Tools for Risk Mitigation” for more.

blogAuthorImage
Christos Tulumba
Chief Information Security Officer
More in Cyber Resiliency & Ransomware
{{item.title}}