You look in the mirror as you button up your shirt. Today’s your presentation to the board and you need to make sure that when you leave that room the men and women around the table understand the cybersecurity strategy of the company. As Chief Information Security Officer (CISO), you’ve spent weeks mapping out this strategy, but the people in the room can make or break the plan with their funding and support.
You’re not walking in unprepared, though. You’ve laid the groundwork. You know how to articulate your points to the board, and you know they’re going to listen.
In this blog post, we outline the top 5 best practices for communicating cybersecurity to your board.
1. Know Your Audience
As a CISO, the most important step when presenting to the board is to remember who you’re talking to. All other strategies hinge on recognizing that this is the board of the company, and it has certain considerations and responsibilities, such as duty of care and loyalty. It helps to know a bit about each member, but you can assume they are intelligent, reasonable people who are interested in any well-developed plan to help the company.
2. Present Your Strategy, not Your Tactics
The board isn’t concerned with the minutia of a CISO’s day-to-day plans nor with every tactic used to make the company networks more secure. The board members are interested in your overarching plan and how it links to the company’s objectives and goals.
Demonstrate how your strategy will achieve or support one of the major aims of the organization, such as the company’s mission statement or business strategy, and you’ll have the board’s attention—and funding.
3. Balance Between Focuses and Holistic Topics
The board’s focus is, and always will be, strategy. Board members think with a broad, holistic perspective that affects the entire company now and into the future. It’s acceptable to target one specific issue in your presentation; however, you need to make sure you connect this one issue to the company’s larger risk management plan. As CISO, your work is just a part of the board’s concerns regarding cybersecurity.
You must link any focused element into the larger strategy, and always tie it back to the broad concerns and goals of the company.
4. Plan and Believe Your Message
You only have a few short minutes in front of the board. Whatever your goal is as CISO, be it asking for more money or even just providing an overview update, you must plan what your message is—and you need to believe in it.
Ask yourself what your goal is for this presentation, and ensure every word supports that goal. Prepare for questions; think through the likely follow-up questions you’ll receive (while keeping in mind who will be asking these questions and the broad concerns of focus).
Finally, you must believe in your message or no one else around that table will. These people have trained themselves to recognize a lack of commitment. Walk in with confidence.
5. Prepare Clean and Simple Materials
Just as you don’t have a lot of time to present, your materials need to be focused, clear, and helpful. You don’t want the board distracted by complicated support materials instead of focusing on your request. All visual aids, including slides and handouts, should be clear and easy to read.
A presentation to the board is important, but it’s only one part of the discussion. As a CISO, the best way to make your impression is to ensure every board member knows this is an ongoing conversation. You should follow up with one-on-ones and regular updates regarding your strategy and its support of the company’s goals.
By following these best practices, Board Members will come to understand the implications of a strong cybersecurity program. They not only begin to recognize the value of security but depend on their Security Leaders and CISO’s expertise for overall business advancement.