5 steps that can help CISOs win over the board on security programs
We recently released the results of a study into the biggest challenges CISOs face according to CISOs, specifically security leaders at major global enterprises who are part of Kudelski Security’s Client Advisory Council. Unsurprisingly, communication with boards of directors was called out overwhelmingly as one of the biggest challenges CISOs face.
It’s not surprising for two reasons: First, many board members are not security experts, so CISOs need to work to engage with them in their language. Second, the amount of time a CISO has in front of an organization’s board – which, importantly, validates strategic investments and budget recommendations – is often only around thirty minutes per quarter.
That means CISOs need to both answer board questions and deliver a concise but engaging presentation to the board that addresses board priorities, positions security as a business risk, and communicates a very technical and complex issue in a way that resonates and gets the security team the resources to do their job.
Before getting into the specifics of what an effective presentation looks like, there are important numbers to keep in mind.
First, frequency. The majority of CISOs present to boards once a quarter for 30 minutes, with an annual deep dive that may take an hour. Many CISOs say their allotted presentation time is often reduced to make room for others.
Second, prep time, which, for a single 30-minute session, can take a CISO and their team between 40 and 85 hours over a period of two to three weeks, including anywhere from five to 25 revision cycles as part of the internal review process. Finally, given the 30-minute or less slot, board presentations should be no more than five to seven slides and there should be a way to present key information in two slides in case the presentation time is cut short.
Given these tight restrictions, structuring an effective presentation is understandably difficult. To point CISOs in the right direction, the global security leaders we surveyed recommend focusing on planning for and addressing the following areas in a typical board presentation:
1. Situational Awareness: Shedding light on emerging security trends in your sector is important, but even more critical is explaining their relevance to your organization. Show who, why, and what cyber criminals or nation-state adversaries are attacking and how the security team is working to mitigate those risks.
2. Incident Response: Present noteworthy incidents the security team handled that didn’t need immediate escalation to the board level. Show how each issue was handled, including the controls in place you found helpful. Use a storyboard to depict an external breach, or an incident tracked internally.
3. Risk/Threat Lens: Define the organization’s risk appetite and risk tolerance and present your operational and continuous assessment processes. Summarize in business terms the critical, unresolved security risks, your remedial action and controls and the residual risk expected following remediation.
4. Capability Maturity Aligned to a Common Framework: Measure the maturity of the security program across all entities and locations and show weak links, showing trends quarter by quarter. Many CISOs across industries align their security program to the NIST Cybersecurity Framework.
5. Strategy: Provide an 18-month outlook based on an assessment of threats, regulations, business objectives, risk profile, and program maturity. Two slides that can be helpful include a refresher on program drivers and capability tied to the drivers, and a summary of how the security program is moving toward the target milestones. Here it’s important to demonstrate progress, pace, alignment, and continuous improvement.
If a CISO ends up having extra time, some additional areas to address include peer parity, which shows the security program’s maturity level and how they compare with other similar brands and the broader sector. CISOs should also be prepared to address the question of whether the company has enough cyber insurance. Finally, board members can benefit from an overview of hot topics, e.g. third-party risk management, targeted threat detection, rapid response, business-driven strategies on cloud adoption, mobility.
The bottom line for CISOs is that board presentations are critical for highlighting all the work security teams do and both justify their budget or justify their request for additional resources. It is the moment to engage the board in the importance of cybersecurity and present oneself as a business enabler and a confident leader who understands both the technology and the organizations’ broader issues and challenges.