“Said the CISO to the Board…”

Information security is a standard agenda item for most corporate Boards, and an area of focus that continues to get their attention. As it should. Fraudulent activity and security incidents are up more than 20% as workforce settings expanded and new work models took shape.

It’s not just a change in how employees work. It’s also a major shift in criminal activity. Security teams have gone from tracking bad characters to monitoring criminal enterprises, and from blocking breaches to managing every dimension of risks. There is no greater threat to the livelihood of a company than a breach in data security. Breaks in security efforts can put a business “out of business” overnight. And every Board member is well aware that’s a lot of liability and risks to manage.

That’s why they often say: “We want to hear from the CISO.”

They ask for an overview of the security strategy, a view of risks and indicators, and a brief on security governance. And every CISO will tell you there’s nothing brief about it.

The world of a CISO today looks a lot like a NASA command center with dashboards, indicators and a small army of resources deep in the trenches of multiple things on any given day. It’s monitoring, assessing, measuring, building, reviewing, testing, and reporting – all in a day’s work.

And it’s one of the toughest communication challenges in companies today.

Because if you’re the CISO, you have to figure out: What do they need to know?

Every CISO has presented to the Board this year. Some more successfully than others. And all CISOs are finding it’s becoming a significant part of their role. So, understanding how to communicate complexity in a clear and concise manner is an essential skill.

And that’s why we’ve helped hundreds of CISOs find the right approach and altitude with Boards.

The focus varies from one company to another, but we use these general guidelines to help CISOs cut through complexity and develop effective Board presentations.

Know your Board – The starting point is to gauge the current perspective of your Board members.  A review of backgrounds and involvement tells you where current inputs on security may be coming from. Do they sit on other Boards or are they currently leading a company with high risks? Most CISOs face a mix of perspectives with some Board members having a decent amount of insight and others having very little. Your content will need to focus on those who know the least as you can’t dismiss the perspective of anyone in the room. But you can leverage the insights and experiences of the more informed if you know their perspective in advance. This gives you a few supporters during the presentation and can identify the more informed questions that will come your way.

Understanding vs Knowledge –  Most CISOs approach their content with a desire to educate a group. And that leads to confusion, a boatload of details and information overload. Unintentionally, the CISO causes this by trying too hard to impart knowledge on a group. Boards don’t seek knowledge; they seek a high level of understanding. And there’s a difference. They want to understand enough about your priorities and strategies to trust that you have the knowledge to run a complex enterprise. But they aren’t seeking to become experts on security topics. So, tell them less about what you know and illustrate more about what you’re doing with that knowledge.

Outside-In View – The Board perspective will be influenced by the latest event or report that has hit the newsstand, other Boards or their colleagues. Leverage external events and security topics to align quickly to how a Board may be thinking and what they’re hearing as current priorities or shifts in the corporate environment. Relate those topics to your internal perspective. This helps them easily contrast the two and consider what may or may not be relevant as they engage with you.

Define What & Why – The hardest discipline to learn is staying away from HOW you deliver on things. They asked for overviews, but they really mean a broad view of what you’re doing and why you’re focused on those areas. They want very little of HOW your team literally does it. That’s too much detail. And it’s when their eyes glaze over. Boards don’t think confusion comes from their lack of understanding. They view it as your inability to be clear. Avoid talking over their heads because the response could knock you off your feet.

Illustrate with Examples – The only place for a little detail is in examples of programs or initiatives. These should be shared as stories or illustrations of a specific program that yielded impact or outcome. Think about these as stories and examples that a Board member might remember and repeat. The detail comes in the set-up and context, not the detail of how the solution was implemented.

Repetition and Structure – These presentations aren’t going away. Just ask the finance group! They’ve got the most experience keeping Boards informed. And they’ve learned to do so with a repeatable structure and high-level enterprise view. CISOs need to find a repeatable structure that allows them to present information in a consistent way. That’s the fastest way to engage and build trust with a Board.

It’s also where we can help. We’ve developed a format and a storyline structure that has helped hundreds of CISOs define the right overview for their organization. And I bet we can help you!

We’re here when you need us.


Want a free 15-minute consultation with Sally to see how she can help you or your team prepare for these conversations? Book a call with her now!

Sally Williamson & Associates

Do you have the Right Approach to Training?

If your initial response to that headline is “of course,” I hope you’ll read on. Because as simple as it may seem, approaches to training continue to evolve. And, the “best approach” can get lost in the rush to deliver or the desire to fit a program within a certain time frame. Time is a reality and costs are, as well. But skills development should trump them both. As the pace of work and expectations of workers continue to increase, employees have to be given the skills to be successful in their roles.

In the last few years, we’ve noticed that some companies pick a training model and push all training through the same approach. So, an employee who is being onboarded goes through the same approach as an employee who needs to renew health benefits. An employee who needs to get certified as a scrum master is following the same approach as someone who needs to learn how to access reports on Salesforce.

That can’t be right!  

We explored e-learning as part of our approach several years ago. At the time, we had access to initial work that a few clients were doing, and we explored formats and approaches with them. As those conversations progressed, I quickly realized that the success of e-learning was based on scale and not impact. Several months after the kick-off, I asked about results. The metrics they shared were accessibility and completion rates. There were no metrics tied to impact. 

For the SW&A team, that was a big concern because we’re vested in an approach that drives change and delivers impact. So I went back to hear from participants who had taken part in e-learning and found that their focus was on completion as well. They were pleased with how quickly they had completed a course, even though follow-up testing revealed a less than 20% retention rate on applying what they learned. I asked the leader about those dismal results, but she didn’t see it the same way. She told me that she was OK with a B- on impact as long as she could show that she was delivering access and information.

And that’s when I knew it wasn’t viable for us. That’s not a criticism of e-learning; it’s confirmation that one approach doesn’t fit every training need. And if you’ve met anyone who watched a 30-minute video on impactful communication and then delivered an impactful message, I’d love to meet them. It’s not an easy skill and few have mastered it.

It’s also a different expectation. And it illustrates the difference in awareness and adoption.

Awareness vs Adoption

One group with a large training need is the sales organization. This “go to market” group needs to understand products they sell, understand tools they use for forecasting, and execute really well on leading a customer conversation. If you were a sales leader thinking about the best approach to training in all these areas, you’d be smart to think about expectations.

Where are the expectations highest? Where do you need a salesperson to understand information and where do you need a salesperson to adopt new skills for impact?

A salesperson needs to know the products and the different capabilities the products deliver. But no one is going to ask them to build the product at the customer site. In fact, once the conversation advances to product adoption or implementation, the salesperson is going to get a lot of help from sales engineers and product designers; those are the groups who have mastered adoption of the product.

A salesperson has to adopt skills to lead an effective customer conversation. It’s not just knowing what a good conversation looks like or having tips for connecting with a customer. It’s learning a skill and adopting it in a way that you can repeat it over and over again.  It’s driving change and helping a salesperson drive impact.   

A smart sales leader will invest time on the adoption skills and leverage time on the information skills.

And, here’s the most interesting part. Every company is talking about change and trying to help the work and people evolve with that change. But the process of how people learn hasn’t changed as much, and a lot of companies get confused by that. You may have employees who are impatient and easily distracted, and they want to control the way they get information. That’s not the same as the pace at which they learn and adopt a skill. Adopting a new skill takes exploration, a deep understanding of fundamentals and repetition to build confidence and consistency.   

We’ve put a stake in the ground on the best approach to building effective communicators. We believe it takes a deep dive upfront to understand fundamentals and set personal goals. And then a communicator needs practice to reinforce progress. Our training has remained consistent on the best way to embed the fundamentals and continues to evolve as we expand to innovative ways to support practice and build communities for coaching. We believe that’s the best approach.

Do you have the right approach?

We can help you figure it out. With the new year ahead and a new set of expectations defined for your team, we can help your communicators adopt new skills to drive results.

We’re here when you need us.

Sally Williamson & Associates