With a heightened focus on keeping businesses safe from cyberattacks, particularly due to high-profile ransomware and third-party vendor supply chain attacks making the daily news cycle, organizations are looking to their CISO or cybersecurity leaders to inform their board of directors on their security posture. Boards want to know if the organization can withstand a cyberattack, what plans are in place to mitigate an attack should one occur, and to assess the organization’s cybersecurity maturity level.
Board presentations are a crucial part of a CISO’s job. In fact, many CISOs spend about 15-20% of their time prepping and delivering board presentations. It can be a “make or break” moment in a CISO’s career.
Not to mention that board members are skeptical when it comes to cybersecurity.
According to a Gartner survey, only 37% of board respondents feel confident or very confident that their company is properly secured against a cyberattack.
Your presentation to the board can help drive business decisions to continue to invest in cybersecurity, so it’s critical to give a clear and full view of your strengths and challenges.
A board presentation can go off the rails by presenting too many numbers or other details that are irrelevant to the people in the room. That’s why we’ve assembled some tips on how to deliver a presentation to your board that is compelling, delivers the right message, and helps you to continue to receive the support you need to maintain and grow a robust security program at your organization.
Build trust by researching beforehand
A cybersecurity leader presenting to the board needs to quickly establish trust among the board members. It’s an uphill battle at times. Gartner research shows that 1 in 5 board members are dissatisfied with the quality of information they receive from management regarding cyber risk.
Research each board member’s background and lean on those in the room who are more tech-savvy, or who may have experienced a breach in the past with other organizations. This will instantly build trust with the board and show that you have done your homework before stepping into the meeting. However, make sure you don’t leave the other board members out of the conversation. They might not be as familiar with the terms you are using, so make sure you aren’t using uncommon acronyms and other jargon.
Determine what the board cares the most about, so you can focus your presentation on those pain points. Most of the concerns of the board can be summed up into three buckets:
1. Is your organization achieving its revenue objectives? How does cybersecurity fit into that overall plan?
Here, you can discuss the investment your organization has made in cybersecurity, and the return on investment you can expect to see over the reporting period. Use an ROI calculator tool if you need help determining your specific ROI. Download the Binary Defense Key Economic Impact Report for an example of the cost savings metrics you can discuss. As an example, has your security platform eliminated the need to hire additional security analysts? Are your analysts able to perform other tasks because of automation through your software or because you’ve outsourced to a security operations center? Time is money, and you can calculate the hours of time saved by offsetting these tasks to a managed security services provider, as well as the salary of the FTEs you don’t need to hire.
2. Is your organization avoiding future costs? How would a breach impact the bottom line?
To address this specific question, you can look to industry reports such as the Ponemon “Cost of a Data Breach” report that is produced each year. See what the average cost of a data breach is for your industry and compare this against your security spend. Have you adequately protected the organization?
If you are in an industry where you must adhere to compliance guidelines, highlight your level of compliance in your board presentation. But stress that just because you are compliant, that doesn’t equate to total protection. Highlight that a multi-layered approach to security is most effective, and requires people, process and technology to be successful.
If your organization is in acquisition mode, you can also reference the above ROI calculations regarding staffing up to monitor the additional endpoints. If you are using an outsourced security operations center, there is no need to hire additional staff; the work would be done by the SOC.
3. What level of risk exists?
One tactic that could help with addressing these types of questions is to position your presentation into terms of compliance and risk management using your security framework as a base. Two popular models are the NIST framework and the Cyber Kill Chain framework.
Gartner recommends using the “CARE” standard, which simplifies your security posture into understandable business terms.
- Consistent: Do your controls work the same way over time?
- Adequate: Do these controls meet the business need?
- Reasonable: Are your security controls fair and appropriate?
- Effective: Are your security controls producing the intended results?
There are other frameworks out there, so use what aligns best to your organization. Create a slide that measures your current security posture against this framework and consistently update it for every board meeting. That way the board becomes used to seeing the framework and can track progress toward lowering risk.
In addition, prepare to answer questions around recent attacks that have been in the news and respond factually without speculating on the unknown. Board members want assurance that your organization won’t be the next one in the headlines. Highlight the strengths of your security program and incident response plan to give your board the confidence that you and your team are protecting the business and are prepared if a breach should occur.
Use cybersecurity metrics to tell a story
There’s no doubt that the board wants to see metrics, KPIs, and overall trends within your organization. But focusing on the numbers makes for a rather dry presentation that won’t be remembered beyond the meeting itself. The most successful security leaders frame the metrics in terms of overall maturity of their cybersecurity program.
Keep in mind that you are presenting to a business-focused audience. Many of them will not know the terms and acronyms you’re speaking in, but will understand metrics that relate to risk avoidance, downtime, impact to operations and more.
Examples of KPIs that will resonate with the board include:
- How many alarms/alerts had to be investigated by your team during that time period? If you outsource your security operations to a third-party, how many alarms/alerts were triaged on your behalf without your team’s need to step in? How does that translate into time savings and your team’s ability to execute on other projects?
- Explain what adversaries are interested in, and what your threat models are and the capabilities of attackers that can impact your business reputationally, operationally, and financially.
- What was the total amount of downtime experienced due to security operations? How does this track against your SLA?
- Have you made progress against addressing known vulnerabilities, and if not, what is the timetable? What risk is there for not addressing them?
- Share any results of security audits, penetration tests, etc.
- Map your coverage and effectiveness around various threat models to the MITRE ATT&CK framework.
And although this is your time to shine, if you paint an entirely rosy picture of your security, it might arouse suspicion. You want to demonstrate that your security program is robust and that you have thought of everything, but it is unrealistic for a board to believe that you are impervious to an attack. Threats are evolving daily. Show that you have a plan if your organization is breached.
Most board meetings have a pre-meeting handout document that is circulated among members. The expectation is that they have read the document prior to the meeting. This could be an appropriate place to report KPIs and other metrics, and then have an in-depth, more conversational discussion at the meeting itself.
Speaking of numbers, a board meeting is not the appropriate time to discuss or request budget. Discuss this with your CFO outside of the meeting. The board is not responsible for budgetary decisions, usually.
FUD is counterproductive
FUD—fear, uncertainty, and doubt—is a tactic often seen in cybersecurity. This is the principle of scaring your audience into acting. The ominous image of a dark figure in a hoodie that we often see in cybersecurity blogs and social media really does a disservice to the industry. Board members who watch the news and are fearful of what an attack like they see on television could do to their organization need reassurance that your security program is able to withstand an attack.
When discussing recent attacks, also take this opportunity to highlight the threat intelligence skillset you and your team possess. Share your insights, and make sure to keep the conversation informative, rather than using scare tactics.
Reporting on a breach
If you experience a breach at your organization, it’s expected to be a discussion point at the board meeting. Present the facts with confidence and show the procedures you followed as part of your incident response plan. It’s not the time to play the blame game or finger point. Simply present the facts:
- What happened
- How it happened (facts only; don’t speculate)
- How your team handled the situation
- What was the impact to the business (e.g. downtime, lost revenue, ransom paid, etc)
- What did you and your team learn from this experience
- How to prevent it from happening again
Rehearse your presentation
Many people do not enjoy public speaking. In fact, fear of public speaking impacts over three fourths of the population! This is why it is imperative to practice your presentation beforehand. Rehearse in front of your team, or in front of the mirror, or to the empty board room. Make sure you are comfortable with the material, enough so that you can use your slide deck as talking points, rather than reading each bullet point. A polished presentation will go a long way toward building trust and gaining buy-in from your board.
Final thoughts
Binary Defense co-founder and CTO, David Kennedy, says that “Educating your leadership team, is a critical component to make sure you have the right buy-in. Validating your controls and mapping it to something like the MITRE ATT&CK framework helps you have a different discussion with executives and leadership around how your program is doing.”
He adds that “being able to show the risk that exists from various threat actors, and what needs to be done to strengthen your organization’s defenses, helps to frame a productive discussion around how to continuously improve your monitoring and detection moving forward, and gain the support of your leadership team.”
Position yourself as a trusted and knowledgeable resource that the board can count on to present metrics that relate back to the business. This will lead to positive outcomes for your security program overall.
Sources:
- Gartner Research. Olyaei, Sam and Wheatman, Jeffrey. Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer. Refreshed 3 December 2020, Published 19 July 2019 – ID G00377323
- CEB Information Risk Leadership Council. Five Principles of Effective Cybersecurity Board Presentations.
- Gartner Research. Proctor, Paul. The CARE Standard for Cybersecurity. Refreshed 2 August 2021, Published 12 February 2020 – ID G00466058
- Gartner Research. Proctor, Paul. Cybersecurity Must Be Treated as a Business Decision. Published 14 July 2020 – ID G00731758
- Binary Defense webinar: Commodity vs. Behavorial Detections. David Kennedy Q&A. June 2021.