Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
For security leaders or CISOs presenting to the C-suite or the board, it’s critical what is being shared is specific to the company’s circumstance and mission.
Rather than being overly detailed and technical, we recommend the information presented is based on demonstrable knowledge and data that address known and unknown threats to the business. This piece explains how to effectively engage and educate the
board and executives to foster genuine insight and help them make fully informed risk management decisions.
Consider focusing on the risk issues of most concern to leadership for a board-level security presentation. This might include, but is not necessarily limited to, the board member’s self-perceived issues and the issues raised by the CISO that become
properly embedded into the risk consciousness of the board.
We suggest taking the time to profile the leaders and meet with as many as possible to understand their fears, aspirations for the company and their individual role on the board. Who are the de facto board business, technical and risk experts? How can
you tune the message so it has impact with those leaders?
Understand your company’s legal and regulatory requirements as they relate to security. How does security relate to the principles and mission of your company? Build strong partnerships with your chief privacy officer, regulatory leader and legal
key players. Also, it’s worth knowing the key security threats, including, but not limited to those:
Treat your information security presentation to the board as a basis for a dialog. CISOs should consider preparing the deck and content collaboratively with two
to four top leaders (typically the CIO, head of audit, CFO, etc.). Regulatory and industry compliance is assumed and not usually covered, unless there is special attention or notice to the board required. However, a good top-level message typically
focuses on how the security program addresses:
With that foundation in place, your board reports and dialogs can focus on the progress of the projects and note any changes in the threat landscape that might alter your project priorities.
The CISO must ensure everyone has a common understanding of terms like security, risk, threat, etc. If any are used in critical aspects of the business, the CISO should consider adapting the definitions so they will be recognized by all. For example,
if safety is a critical element in the business and there is a set of terms used by the safety organization, make sure your definitions of security, risk and threat are easily related to those established uses. A few starting points are:
The CISO must socialize the terms broadly to ensure a solid and common understanding – especially with the board.
Once you get beyond the basics of how the security organization is doing and how the company overall is doing, you likely want to start tracking individual enterprise organizations, such as business units and functions. By reporting information security
metrics to the board or other executives on the status of 5-10 entities, you change the mindset from “security is just an organization”
to “security is everyone’s job.” By showing dashboards demonstrating who is doing well or poorly in security risk management, you can get leadership to focus on the players who need the most help. This allows effort and board time
in discussion to be spent wisely.
Some of the most valuable presentations are those that give the board genuine insight into how security works. This can happen in a variety of ways, but some strategies to consider include:
Effective CISOs manage the transition from “security is IT’s job” to “security helps everyone make good risk decisions.” Aspire to ensure risk owners are clearly identified and security supports them in the tough business
decisions around risk with full transparency. Meaningful reporting on the levels of risk and progress in risk management is at the heart of every board presentation.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.