Skip to main content
October 12, 2015

Presenting to the Board: What Board Members Really Want to Hear From CISOs

CISO Tips: Presenting to the BoardMore than ever before, chief information security officers (CISOs) now find themselves in front of the board of directors, detailing the security incidents, issues and solutions that affect the business. For those not accustomed to it, presenting to the board can be a difficult experience, one in which they want to impart all the necessary information without wasting anyone's time. On top of the business reasons for understanding how to best present information, this experience is also important for the CISO on a personal level as it can define how the board views them.

For those CISOs struggling with how to present before a board of directors, a new survey has some insight into what business leaders are looking for. "Cybersecurity in the Boardroom," a survey conducted by the NYSE Governance Services in partnership with Veracode, asked 200 board members about their views on cybersecurity. One aspect of the report focuses on CISOs presenting to the board and exactly what kind of information the board looks for. While the entire report is beneficial for any CISO, focusing on this section will provide valuable insight into how CISOs can get the most out of the handful of minutes spent with these business leaders.

High-Level Security Strategy Descriptions

Responsibility for security incidents now goes up to the highest levels of management. If an incident occurs, the public may call on members of the C-suite or the board to discuss the incident and explain why it happened. Members of the board are therefore more invested than ever in understanding exactly what protects their systems, as evidenced by the 33 percent of respondents who selected "high-level strategy description" as their preferred method of receiving communication on overall system security.

Members of the board may not understand the technical details, but if the CISO is a good communicator with a reasonable level of business acumen, providing a high-level description of the security solutions, protocols and policies should impart enough information to satisfy the board without confusing or boring them with technical minutiae.

Risk Metrics

For boards who don't understand or want a high-level detail of the security strategy, there are other ways to express an organization's security status. The use of metrics is a good way to take information that can be difficult to understand and transform it into easily quantifiable information that the board will readily grasp.

These metrics can cover risk benchmarks compared against the whole of information security, as well as the organization's specific industry, to provide the board with the most relevant data. Metrics should also be tracked over time to allow the board to see how the situation has changed in the recent past. When the metrics are carefully built — and aren't cherry-picked for positive-looking results — they provide the board with real insight into how secure the business currently is.

Other Useful Considerations

High-level descriptions and risk metrics are the presentation methods preferred by the majority of boards, but there were a few other methods, coming in at about 10 percent each, that CISOs should know about. Eleven percent of board members were also interested in their enterprise's security and risk posture when compared to peers within the industry. This goes deeper than most risk metrics, taking intangibles into account as well.

Other board members (11 percent) wanted a deep description of the security technologies themselves. This is likely more common in high-tech industries, where members of the board are more likely to be able to grasp the core details of a technology solution.

Finally, 9 percent of respondents wanted to know the audit and compliance statistics. When audits are built properly, these numbers can be very helpful in understanding a business's overall security situation. However, if generic compliance and audit tools are utilized, these results can be practically useless. CISOs should have the security team spend time customizing their audits and compliance reports before reporting compliance numbers to the board, and ensure the board understands that generic industry compliance is simply not good enough.

Focusing on these areas before presenting to the board will provide CISOs with a significant advantage. By building an understanding of exactly what business leaders are looking for, CISOs can tailor their message to both get their point across regarding the enterprise's security and to improve their standing in the eyes of those who run the business.

Photo Source: Flickr

Related Content

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.