CEB Blogs


Information Risk

5 Myths About Presenting to the Board of Directors on Cybersecurity

Forewarned is forearmed

Miniature soldiers on a laptop keyboard protecting information security riskThe rise in the number of times companies have had their data stolen in the past few years, coupled with an even bigger rise in executive, public, and media interest in the topic, has meant a lot more questions from boards of directors.

Nearly 60% directors believe their board is more involved in information security today than it was 12 months ago and 65% of chief information security officers (CISOs) give presentations on the topic at least twice a year to their boards. There are five myths about these presentations that they would do well to avoid.

Five Myths

  • Myth #1: The goal of board presentations is to help managers take decisions (e.g., increased investment in information security):

    Reality: The board has an oversight and governance role over management’s cybersecurity or information security activities. The board is not that interested in hearing details of the management of the information security function, and doesn’t want to get involved in that management either.

    What this means for CISOs: A CISO’s goal should be to establish trust and credibility with the board through these presentations. Directors lack an intimate understanding of information security issues, and rarely are do they want to develop it further. The most important thing for the board is to have confidence that the management team understands the information risks deeply—”do we have the right management in place and can we trust them?”

    Instilling trust is not just about a CISO’s personality or how they conduct themself in the boardroom. CISOs can earn a board’s trust by doing their homework (e.g., talking to HR about employee behavior or getting an external perspective on how good the firm’s information security program is) and being transparent with directors about these issues.

  • Myth #2: The board need to see hard risk and security metrics.

    Reality: Dashboards and metrics are a useful way to give the board confidence that management knows what it is doing and can track what needs to be done, but they have limited value beyond that. They are just snapshots in time; something could go drastically wrong the day after the presentation.

    What this means for CISOs: Instead of spending countless hours devising and perfecting metrics that will make sense to the board, CISOs should stick to a story across multiple board presentations. Present security metrics in the first board presentation, but include them as an appendix or additional material thereafter.

  • Myth #3: There is little value in presenting your function’s gaps and weaknesses to the board.

    Reality: Presenting an “all-green” dashboard or report invites skepticism, not confidence from the board.

    What this means for CISOs: If done well, showing where the information security program is weak can convey a powerful message from the CISO and be a comfort to the board, providing it comes with a plan for shoring up those gaps. CISOs should also avoid management surprises or give the impression that they’ve gone behind someone’s back when discussing problems with the board.

    Security gap discussions are often linked to requests for additional investment but, in certain situations, CISOs will get the board’s attention if they give some of the money back. When the board sees that their offer of money is not the solution, it requires them to have a conversation about the real risks.

  • Myth #4: Preparing and presenting to the board is an “off the side of the desk” activity for most CISOs.

    Reality: Board presentations and follow-ups are resource intensive. Most CISOs say they spend three to four weeks personally on preparing for each board presentation which can add up to 15-20% of CISO time in a year, not counting time spent by the CISO’s boss and team.

    What this means for CISOs: Manage board presentations like a project. To make the preparation and follow up efficient as well as to maintain continuity of the conversation across different points in board interactions, CISOs should document all the steps and action steps as a playbook or process. After the presentation, and similar to a project debrief, get feedback from stakeholders, especially non-director attendees, on how you did.

  • Myth #5: The board needs to know everything that is important about information security.

    Reality: Having done all the hard work for getting ready for board presentations, every piece of information looks important but a lot of it isn’t.

    What this means for CISOs: Avoid overloading the board with too much information. For coherent board communication, CISOs must present material based on:

    • What are the messages they need the board to come away from this presentation?

    • Which decisions do they want the board to make and what information they need to make those decisions?

    CISOs should think about doing “prewire” preparatory calls with one or two tech-savvy board directors to fine tune messages and to identify where they should focus during the presentation.


More On…


3 Responses

Leave a Reply



Recommended For You

4 Steps to Assess Information Security Training Programs

Most information security teams worry about how good their training efforts are, and how they...