How Information Security Leaders Can Engage the Board Effectively

July 22, 2021 | By IANS Faculty

For security leaders or CISOs presenting to the C-suite or the board, it’s critical what is being shared is specific to the company’s circumstance and mission. Rather than being overly detailed and technical, we recommend the information presented is based on demonstrable knowledge and data that address known and unknown threats to the business. This piece explains how to effectively engage and educate the board and executives to foster genuine insight and help them make fully informed risk management decisions.

Information Security Presentations for the Board 

Consider focusing on the risk issues of most concern to leadership for a board-level security presentation. This might include, but is not necessarily limited to, the board member’s self-perceived issues and the issues raised by the CISO that become properly embedded into the risk consciousness of the board.

We suggest taking the time to profile the leaders and meet with as many as possible to understand their fears, aspirations for the company and their individual role on the board. Who are the de facto board business, technical and risk experts? How can you tune the message so it has impact with those leaders?

Understand your company’s legal and regulatory requirements as they relate to security. How does security relate to the principles and mission of your company? Build strong partnerships with your chief privacy officer, regulatory leader and legal key players. Also, it’s worth knowing the key security threats, including, but not limited to those:

  • Broadly in the world
  • In your industry
  • Impacting your own enterprise
  • Experienced by your suppliers/partners

Advice for Information Security Teams Presenting to the Board

Treat your information security presentation to the board as a basis for a dialog. CISOs should consider preparing the deck and content collaboratively with two to four top leaders (typically the CIO, head of audit, CFO, etc.). Regulatory and industry compliance is assumed and not usually covered, unless there is special attention or notice to the board required. However, a good top-level message typically focuses on how the security program addresses:

  • Known threats: These must be articulated and mitigated. To do this:
    • Build a clear understanding of the known threats, starting with your outside knowledge of the global and industry security environment.
    • Integrate this with the perceived threats of top leadership and the actual threats and incidents playing out in your enterprise.
    • Consider collating this into a threat model that rank-lists the top 5-7 events that might substantively damage your organization. The key is the list should become the organization’s threat model, not just the CISO’s.
    • Once you have a ranked list of known threats, you can evaluate your ability to defend, respond and recover. This provides the rationale for your near- and long-term security program projects.
  • Unknown threats: These are mitigated by having a prepared workforce ready to adapt to urgent circumstances. This includes everyone in the enterprise, with special focus on security and IT. Preparation and assessment of preparedness requires a security framework such as the NIST Cybersecurity Framework (CSF) or the ISO 27000 series security standards. CISOs should use those frameworks to establish an initial maturity baseline. Then, top leadership can compare the organization’s maturity with that of best-in-class and similar organizations in your field. They can then use their collective risk appetite to decide on the appropriate scope of security preparedness, with the CISO creating maturity-raising projects to close the gap. Maturity measurements are best done regularly by a combination of external and internal assessors.

With that foundation in place, your board reports and dialogs can focus on the progress of the projects and note any changes in the threat landscape that might alter your project priorities.

Information Security Terminology 

The CISO must ensure everyone has a common understanding of terms like security, risk, threat, etc. If any are used in critical aspects of the business, the CISO should consider adapting the definitions so they will be recognized by all. For example, if safety is a critical element in the business and there is a set of terms used by the safety organization, make sure your definitions of security, risk and threat are easily related to those established uses. A few starting points are:

  • Security: Assurance that we are applying adequate protection to the confidentiality, integrity and availability of data and data systems.
  • Risk: A set of circumstances that might lead to harm.
  • Threat: A specific set of circumstance that would lead to specific harm(s) to OUR business, i.e., a specific risk we worry about.

The CISO must socialize the terms broadly to ensure a solid and common understanding – especially with the board.

Establish Information Security Measurements

Once you get beyond the basics of how the security organization is doing and how the company overall is doing, you likely want to start tracking individual enterprise organizations, such as business units and functions. By reporting information security metrics to the board or other executives on the status of 5-10 entities, you change the mindset from “security is just an organization” to “security is everyone’s job.” By showing dashboards demonstrating who is doing well or poorly in security risk management, you can get leadership to focus on the players who need the most help. This allows effort and board time in discussion to be spent wisely.

Strategies for Presenting Information Security to the Board

Some of the most valuable presentations are those that give the board genuine insight into how security works. This can happen in a variety of ways, but some strategies to consider include:

  • Board field trips: If possible, plan a brief security operations center (SOC) walk-through and have your security leaders provide real-life case studies, e.g., how they dealt with known security issues like previous ransomware attacks or broad vulnerabilities like Heartbleed.
  • Executive tabletops: Make sure you have regular security tabletop exercises (“wargames” or simulations) for top leadership and the board. Nothing gets understanding and buy-in like hands-on experience.

Effective CISOs manage the transition from “security is IT’s job” to “security helps everyone make good risk decisions.” Aspire to ensure risk owners are clearly identified and security supports them in the tough business decisions around risk with full transparency. Meaningful reporting on the levels of risk and progress in risk management is at the heart of every board presentation.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.