Effectively pitching cybersecurity to The Board is an essential role for all senior-level security team members. You may be presenting to Corporate Boards for many reasons —suggesting a new direction for the company security policy, explaining a complex legal issue that needs to be decided quickly or simply giving an update on an ongoing cybersecurity project.
But how do you present cybersecurity and its importance in a way that its members will say yes?
Whether it is your first time presenting to your Board or the hundredth time, here are 8 things you must avoid when pitching cybersecurity to The Board.
1. Falling for Board Stereotypes
With any luck, your Board of Directors is diverse and comes with many different opinions, political leanings and personalities. Try to avoid any off-color jokes and political comments that could offend the very people you are trying to persuade.
Additionally, your Board Members are not necessarily uninterested in cybersecurity. Most members are genuinely interested in how you can better the business. So, use clear language that everyone around the table will understand but don’t “dumb things down to a point that you offend the audience. Using jargon, you think The Board will understand or that you think will make you sound smarter often just sounds like a string of nonsensical letters and words. Instead, the first time out, explain what you mean by MDR, Endpoint Detection and anomalous behavior.
Falling for Board-level stereotypes will be the downfall of your presentation. Instead, when you want to relate to your Board and create a connection- research them individually so you can make a better impression than offending half the crowd.
2. Misalignment to Business
When trying to convince the board to invest in security it must align with what the business is currently doing. One of the first things you should do when preparing to present to the board is inquire about the current business priorities and goals for the upcoming quarter or year. Remember to position your pitch in a way that clearly supports these priorities as these are issues The Board is already committed to solving.
3. Neglecting to Share Goals and Metrics
When asking management or The Board of Directors to fund security people, processes or technology there needs to be a very clear way to measure the success of the investment.
Often, The Boards main concern is whether or not the organization is protected. We hear the question “Are we protected?” time and time again. The truth is there is no one answer to that question and you are often left with some gaps within the answers you can provide. But being able to supply metrics regarding different processes within your environment is one of the best ways to align security and business goals.
How can you get these metrics? Difenda works with CISOs to provide customized live metrics for your security program through the Difenda Shield.
4. Relying Only on Data
When presenting a piece of data, remember that as the presenter you must present the story that makes each piece of data relevant to The Board.
Data visualization helps explain what numbers mean and why they matter. This can help you transform presentations and bring numbers to life.
Let’s say endpoint data alerts at your company have skyrocketed in the past year. Your IT team has a backlog of remediations, and company data is at an increased risk of breach. That’s all the data says. But during your research, you realize it’s due to a shift in how your company is presenting security awareness training. Therefore, alerts are up because your training sessions have become less effective, and your employees are struggling to recognize and avoid phishing attacks. Your role is to present the data, explain the “why” and then propose a solution— in this case, a new security awareness training program or a managed endpoint detection and response service.
5. Forgetting To Read the Room
During your presentation, you need to keep an eye out for verbal and nonverbal cues from your audience in order to gauge their reaction to what you’re saying. This allows you to adjust your approach based on how your audience is reacting.
For example, by enthusiastically offering support for someone else expressing a viewpoint that you agree with, or asking less engaged individuals for their thoughts, you are subtly guiding the tone of the room in a direction that works for you.
Taking the time to acknowledge The Board’s implicit responses and adjust your approach also demonstrates your investment in their comfort and awareness of their needs and the business goals.
6. Failing to Define Your Key Message and Outcome
Before preparing your presentation, summarize your content and decide what information is crucial to your argument. If the Board Members only remember one or two points about your whole presentation, what would you want them to be?
Once you have decided on your key messages, ensure that your presentation conveys those messages loud and clear. If there is a decision that needs to be made, make sure the options are very clear. It never hurts to state the options up front and explain them and their outcomes clearly so your audience can make an informed decision.
Then, consider making a summary slide and ending the presentation with those key points and outcomes to reinforce your message one last time.
7. Providing too much information
The number one way to keep your board presentation on track and engaging is to keep it concise. Think of a board presentation as a briefing instead of a novel. Board Members thrive on facts and data presented in a clear and concise manner.
So how brief is too brief? We recommend aiming for a 15-20-minute presentation and leaving 10 minutes for additional Q&A time.
8. Not Preparing for Questions
An important part of pitching cybersecurity to The Board is understanding where they are coming from and thus anticipating the questions they will ask.
While you practice your presentation, imagine you are a Board Member and think of questions you would ask about your project. Now either go back and answer those questions within your presentation or prepare an answer for the Q&A session at the end.
You may even want to create additional slides with supporting information for specific questions. So when they ask you that question, you have hidden slides ready demonstrating your strategic thinking ability.
Answer as many questions as you can, even ones you think are oversimplified or “basic to you. But if you don’t know the answer, tell them you will get back to them with the requested information and do so promptly after your presentation. This will at least leave the audience with a good impression of you.
From planning to presenting get everything you need for a successful Board pitch in The 2023 Cybersecurity Playbook.
More helpful resources to prepare for your pitch:
A CISO’s Guide To Communicating Cybersecurity To The Board Of Directors
Communicating Cybersecurity in Uncertain Times eBook
How this Large Manufacturer Built A Proactive Security Program From Start To Finish