Working with senior business executives is one of the great perks of becoming a CISO. In the case of your company’s board of directors (BoD), the perk also includes challenges. Like an audition for “America’s Got Talent,” the BoD presentation offers a brief moment to shine along with a few opportunities to fall flat on your face. This article shares some of my practices and insights about presenting to the BoD based on many years of hard-learned experience.
Before we dive into the highlights of making an effective board presentation, let’s take a look at the kind of people who typically serve on the BoD and what their job involves. Your BoD, I guarantee, is made up of some extremely smart and experienced people. Just like you, but not like you at all. BoDs typically come from quite different backgrounds, unlike security and IT executives. Some are executives at your company, such as the CFO or CEO. Others are outsiders, often investment professionals, attorneys or C-level executives from other industries. Understanding this difference in backgrounds is essential to forming the right approach to a BoD presentation.
Then, what does the board do? As a CISO, you may not have had much exposure to boards earlier in your career. The board’s responsibilities include developing a governance system for the entity and ensuring the implementation of an effective strategy. They have a fiduciary duty to protect the organization’s assessments as well as the shareholders’ investments. How will shareholders know that their money is being spent wisely and is not exposed to excessive risk? That’s the purpose of the BoD. They’re elected by shareholders to oversee the work of executives like you.
When you are called upon to make a security presentation to the BoD, what they are really asking you is, “How is your department contributing to the realization of strategic business objectives… and how are you protecting corporate assets?” In particular, the BoD is concerned with risks to corporate assets that might come from cyber threats. For example, a data breach might cause both a financial loss as well as damage to the corporation’s brand. Security-related litigation and regulatory risks also loom large for the BoD.
Cybersecurity is a relatively new focus area for BoDs. Drivers of interest in security may flow from a cybersecurity component to the annual audit, which the BoD oversees. If the corporation is considering cybersecurity insurance, the directors will want to know if you recommend it and why. Remember, the CISO role has changed. We now design and implement a cyber risk management program, not just technical standards.
The SEC also requires the corporation to disclose “material risks” in filings such as the 10K and 10Q reports. (A material risk is one that carries serious financial consequences.) If there are material risks related to cybersecurity, you will have to explain to the BoD how they came about and what you plan to do about them.
They don’t want a highly technical answer. It’s not their specialty. They won’t understand what you’re talking about and you risk creating anxiety and promoting hard to answer questions. That said, nor do they want a simplistic answer. There may be a temptation to “dumb down” BoD materials, but that is a mistake. It’s better to “dumb it up.” Keep it simple and business-oriented, but don’t water it down. How is this best done?
One thing to bear in mind is the length of your presentation. You may be asked to present to the BoD once a year for 10-15 minutes. Your presentation will be sandwiched between many others during a long board meeting. This context is very important. You’re not being asked to justify your entire department’s plan in depth. You’re not being asked to ponder the big security and technology issues of our times. You’re being asked to spend 10-15 minutes making the BoD confident that the shareholders are going to be protected by the best security practices that are suitable for your specific entity.
So, in perhaps three slides, you need to achieve the following:
- State your security strategy and objectives as they relate to the BoD’s fiduciary duty.
- Describe high-level metrics and notable incidents that have occurred in the last period and reflect on how your strategy is working to defend shareholder assets. If there have been adverse incidents, you have to explain what you intend to do about remediating the underlying causes.
- Show the value of your strategy by demonstrating that it can solve the systemic challenges the corporation faces.
Directors may look for peer examples to satisfy themselves that an issue is being handled correctly. Offering examples of comparable practices at similar firms can go a long way to instilling BoD confidence in your approach.
None of this is particularly hard, but there is some finesse and time commitment required to be successful. In my experience, it might take me and my team a good 50 hours or more to boil down our ideas into three BoD slides. I put a lot of time into my speaking notes. I never assume the directors will understand (or thoroughly read) the text on the slide itself. You can always have supplemental material available, but you only get your 10-15 minute slot with the board once. For any topic you want to present, it pays to ask yourself, “If I were an investment banker or non-technical C-level person, how would I react to this?” You might want to role play and see if you can spot distracting, overly technical concepts.
I suggest doing careful preparation, starting with backchannel discussions with others in the company who have dealt with the board. Your BoD will have a distinct personality based on its members. There may be certain directors to note in terms of temperament and interests. For instance, your peers might let you know that Mr. X also serves on the board of a company that suffered a massive data breach. Being aware of these kinds of factors can help you make the most effective presentation.
Presenting to the BoD is a privilege. It’s an opportunity as well as a challenge. If someone tells you “don’t sweat it,” they’re wrong. You should sweat it. But, if you put in the appropriate prep time and research your audience, you should do well. Stay focused on strategy and objectives, always aligning back to how your work helps the BoD undertake its fiduciary duties to the shareholders.
For more information about creating and deploying an innovative security strategy to satisfy your BoD, talk to one of our IT security experts. We’ll help you get started.