“Said the CISO to the Board…”
Information security is a standard agenda item for most corporate Boards, and an area of focus that continues to get their attention. As it should. Fraudulent activity and security incidents are up more than 20% as workforce settings expanded and new work models took shape.
It’s not just a change in how employees work. It’s also a major shift in criminal activity. Security teams have gone from tracking bad characters to monitoring criminal enterprises, and from blocking breaches to managing every dimension of risks. There is no greater threat to the livelihood of a company than a breach in data security. Breaks in security efforts can put a business “out of business” overnight. And every Board member is well aware that’s a lot of liability and risks to manage.
That’s why they often say: “We want to hear from the CISO.”
They ask for an overview of the security strategy, a view of risks and indicators, and a brief on security governance. And every CISO will tell you there’s nothing brief about it.
The world of a CISO today looks a lot like a NASA command center with dashboards, indicators and a small army of resources deep in the trenches of multiple things on any given day. It’s monitoring, assessing, measuring, building, reviewing, testing, and reporting – all in a day’s work.
And it’s one of the toughest communication challenges in companies today.
Because if you’re the CISO, you have to figure out: What do they need to know?
Every CISO has presented to the Board this year. Some more successfully than others. And all CISOs are finding it’s becoming a significant part of their role. So, understanding how to communicate complexity in a clear and concise manner is an essential skill.
And that’s why we’ve helped hundreds of CISOs find the right approach and altitude with Boards.
The focus varies from one company to another, but we use these general guidelines to help CISOs cut through complexity and develop effective Board presentations.
Know your Board – The starting point is to gauge the current perspective of your Board members. A review of backgrounds and involvement tells you where current inputs on security may be coming from. Do they sit on other Boards or are they currently leading a company with high risks? Most CISOs face a mix of perspectives with some Board members having a decent amount of insight and others having very little. Your content will need to focus on those who know the least as you can’t dismiss the perspective of anyone in the room. But you can leverage the insights and experiences of the more informed if you know their perspective in advance. This gives you a few supporters during the presentation and can identify the more informed questions that will come your way.
Understanding vs Knowledge – Most CISOs approach their content with a desire to educate a group. And that leads to confusion, a boatload of details and information overload. Unintentionally, the CISO causes this by trying too hard to impart knowledge on a group. Boards don’t seek knowledge; they seek a high level of understanding. And there’s a difference. They want to understand enough about your priorities and strategies to trust that you have the knowledge to run a complex enterprise. But they aren’t seeking to become experts on security topics. So, tell them less about what you know and illustrate more about what you’re doing with that knowledge.
Outside-In View – The Board perspective will be influenced by the latest event or report that has hit the newsstand, other Boards or their colleagues. Leverage external events and security topics to align quickly to how a Board may be thinking and what they’re hearing as current priorities or shifts in the corporate environment. Relate those topics to your internal perspective. This helps them easily contrast the two and consider what may or may not be relevant as they engage with you.
Define What & Why – The hardest discipline to learn is staying away from HOW you deliver on things. They asked for overviews, but they really mean a broad view of what you’re doing and why you’re focused on those areas. They want very little of HOW your team literally does it. That’s too much detail. And it’s when their eyes glaze over. Boards don’t think confusion comes from their lack of understanding. They view it as your inability to be clear. Avoid talking over their heads because the response could knock you off your feet.
Illustrate with Examples – The only place for a little detail is in examples of programs or initiatives. These should be shared as stories or illustrations of a specific program that yielded impact or outcome. Think about these as stories and examples that a Board member might remember and repeat. The detail comes in the set-up and context, not the detail of how the solution was implemented.
Repetition and Structure – These presentations aren’t going away. Just ask the finance group! They’ve got the most experience keeping Boards informed. And they’ve learned to do so with a repeatable structure and high-level enterprise view. CISOs need to find a repeatable structure that allows them to present information in a consistent way. That’s the fastest way to engage and build trust with a Board.
It’s also where we can help. We’ve developed a format and a storyline structure that has helped hundreds of CISOs define the right overview for their organization. And I bet we can help you!
We’re here when you need us.
Want a free 15-minute consultation with Sally to see how she can help you or your team prepare for these conversations? Book a call with her now!