CEB Blogs


Information Risk

3 Principles to Improve Your Board Presentations

Take every opportunity to build the board's confidence in your abilities, use a consistent framework throughout all presentations, and learn how to tell a compelling story

As catastrophic data breaches become more and more frequent – and as they become a fixture of the 24-hour news cycle – corporate directors face mounting scrutiny from shareholders and regulators to tighten oversight. As a result, chief information security officers (CISOs) are presenting to their Boards on a more frequent basis, for longer at a time, and for the entire board, rather than just a subcommittee.

For many, this can be a daunting experience; it means putting one’s personal and professional credibility on the line. CISOs should nevertheless view this kind of exposure as an opportunity. Well-run presentations can be the key to gaining the trust of the board and senior executives, which can pay dividends in terms of access to more funding, greater influence on executive-level decision making, and, perhaps equally importantly, job security if – or when – something goes wrong.

Three Principles to Follow

From dozens of conversations that CEB has had with some of the best information security teams in the world, it’s clear they rely on three principles when preparing their board presentations.

  1. Take every opportunity to build the board’s confidence in your abilities: With each presentation, the CISO’s objective, first and foremost, is to build the board’s confidence.

    Directors rarely possess a deep understanding of information security and instead rely on executives like the CISO to keep them informed and manage risk issues. In each presentation, board members want to see a CISO demonstrate the subject-matter expertise and leadership skills necessary to lead an important function at the highest levels.

    What separates a good CISO from an average one is the degree to which he or she anticipates the board’s concerns and supplements their own expertise with that derived from independently credible sources. For example, some CISOs will circulate the agenda of their board presentations among their counterparts at peer organizations in order to “benchmark” their strategic priorities against one another’s.

    This also allows CISOs to build credibility by showing the Board how his or her priorities are consistent with the rest of the industry.

  2. Use a consistent framework throughout the presentation: Many leading security organizations assess the state of their information security controls by mapping their capabilities to a security controls framework, such as ISO 27001/2, NIST CSF, or HITRUST.

    Leading CISOs go one step further by using their chosen framework to structure their presentations with the board. A controls framework is a natural starting point for board-level discussions because they illustrate a consistent process for managing information risks (i.e., Identify, Protect, Detect, Respond, and Recover – see chart 1).

    And, since they’re developed in conjunction with panels of experts, government bodies, and regulatory entities, frameworks are credible benchmarks against which to assess maturity, uncover vulnerabilities, track improvements over time, and identify priorities for future investments.

    When preparing a board presentation, CISOs can use their framework to:

    • Update the board on the company’s approach to information security.

    • Frame security governance discussions.

    • Understand risks and unpack breaches in the news.

    • Harmonize regulatory requirements with broader risk management activities.

    Further, since adhering to or complying with a controls framework is optional, doing so can send a strong signal to the board that the information security team is doing a competent job, which allows CISO to provide assurance and build confidence.

    CEB's information security framework

    Chart 1: CEB’s information security framework  Source: CEB analysis

  3. Tell a compelling story: Often progressive CISOs advise against displaying detailed operational metrics, as they’re unlikely to resonate with board members. And, although board members are accustomed to seeing quantifiable risk metrics from other business functions, this is unachievable and inadvisable in the context of information risk management.

    Instead, leading CISOs talk about “controls maturity” (i.e., how good their controls have become), and the role they play in the information security framework, as the basis for board-ready metrics. Controls maturity gives CISOs a persuasive tool to talk about the current state and future goals of their function (see chart 2 as an example).

    • Maturity data presented against clear benchmarks provides directors with information to easily absorb and react to.

    • Tracking over time shows year-over-year progress against goals and provides additional reference points for the board.

    • Controls maturity can be visualized at high or low levels of granularity, as appropriate for board audiences of varying technical sophistication.

    • Benchmarking controls maturity against that of peers is a powerful tool for gaining investment buy-in.

    Current maturity and future goals

    Chart 2: Current maturity and future goals  Illustrative  Source: CEB analysis

More On…

Leave a Reply



Recommended For You

3 Ways to Protect Firms’ Information Security as they Digitize

A lot of the existing processes and structures that firms use to protect their information...