5 tips to help CISOs survive (and thrive) in the boardroom
Want to know the secret to nailing a cybersecurity board presentation? Learn from someone who’s already learned what not to do—the hard way.
As Tim Chase, Global Field CISO, mentioned in his recent blog, one of the most common pitfalls security leaders face when presenting to a board is failure to tailor your security message to your audience. In my career as a CISO for various companies, I’ve fallen into the same trap. As security leaders, we tend to talk about security and assume everyone understands (and cares), but in reality, that’s not always the case.
If you want to benefit from my mistakes so you can avoid making the same ones, you’re in the right place. Here are a few things I’ve learned from my conversations in the boardroom.
1. Identify cybersecurity drivers and champions
To effectively communicate your message, it’s crucial to understand the main drivers of your organization. Imagine you work for a scaling digital startup that just raised $500 million and heavily invests in product/engineering and marketing. They’re on their way to IPO and their leadership team consists of tech entrepreneurs. Now, think about a traditional construction company that is very cost sensitive with a leadership team that focuses on earnings before interest, taxes, depreciation and amortization (EBITDA).
To determine how you can best tailor your message to your audience, it’s key to understand whether cost or speed is the main driver for your organization. If available, the company’s annual report can help you identify which is the main driver. I personally invested a lot of time in lunch discussions with people like the CFO, CTO, CIO, CEO, and CMO. Before going to these informal lunches, I prepared questions that I wanted to ask, including some more personal ones like “What is your advice for balancing stress?” I’ve never encountered anyone not willing to give advice. It’s a good tactic to build a relationship.
You might notice that different groups of people want to move the company in different directions. It’s important for you to identify friends, enemies, but more importantly, “frenemies” of cybersecurity and determine how you need to address them to be heard.
💡Tip: Read the financials first (multiple times). Find out the individual’s hobbies and interests as you can use this later to create relevant analogies and ask open-ended questions. Building relationships is key.
⚠️ Trap: You might think that the board of directors or executive leadership team naturally cares about certain topics. Never assume, always verify. Often, there’s a huge gap between what we assume someone in a role should do and what people actually do.
2. Create relevant metrics to help convey the state of cybersecurity
Keep in mind that your executive leadership team and board of directors don’t spend their day only thinking about cybersecurity. Now that you have identified what’s important to them, it’s time to create metrics that are interesting to your audience (champions) and are linked to your organization’s main driver.
I’ve been asked the same questions by the board of directors and the executive leadership teams over and over again. Based on that, your metrics should answer at least the following questions:
- How are we doing? (the ultimate metric)
- Are we getting better? (progress and trend metric)
- Do you need us to act? (create sponsorship for future initiatives)
- How are our competitors doing it? (benchmarking)
The following graphic shows an example of how a cost metric could be used to visualize what you as a CISO need from the executive leadership team or the board of directors to achieve an acceptable level of cybersecurity while staying below the industry average cybersecurity spend.
Cost metrics can help your audience visualize how to achieve an acceptable level of cybersecurity while staying below the industry average spend.
You should also have meaningful metrics in your stock that help explain the figures you show. The following examples are metrics that I’ve used to help convey the state of cybersecurity and trends.
- Amount of incidents with impact
- Mean time to detect and respond to incidents
- Amount of manual incident response
- Mean time to close vulnerabilities
- Amount of vulnerabilities per 1000 lines of code
- Reported vulnerabilities and payouts via bug bounty programs
- Ratio of new vulnerabilities vs closed vulnerabilities
- Overall resilience (=overall maturity)
- Department resilience leaderboard (ranking the internal security maturity)
- Employee awareness score over time
💡Tip: Avoid absolute numbers and try to convert them to relative numbers over time.
⚠️ Trap: You use statistics out in the wild (e.g., increase in hacking attacks) and think this might be relevant. Statistics are only relevant if they are related to the business and industry. It’s better to use less external statistics and focus on industry benchmarks.
3. Drill down to the core of your message
My typical board meetings took 25 minutes, even if they had been planned for 30.
Focus on what you want to accomplish and remove as much text and overhead as possible. Remove it from presentations and documents and try to shift it to a conversation and discussion.
In those conversations, you can show your expert knowledge. This will build a deep trust between you and the executive leadership team and the board. This relationship is the foundation of your success.
💡Tip: Plan 2 minutes per slide, only use a few colors, 3 different font sizes, and plan for a minimum 5-minute Q&A.
⚠️ Trap: You created 15 slides, and added background information so that the slides can be read and understood even without the meeting. If you make it to the meeting, you will need to rush and this will negatively affect trust in your skills. If they already read everything, they won’t listen anymore because they already have made up their mind.
4. Visualization helps explain cybersecurity concepts
Using less text and more visualizations also works much better in meetings, especially when you’re trying to explain complicated concepts. This helps shift to a conversational and discussion-intense meeting that’s more impactful for the board members and helps them understand cybersecurity.
💡Tip: Get inspired by infographics, maybe even purchase a tool and turn your numbers into beautiful pictures. Show it to someone and ask what they “see.”
⚠️Trap: You still added too much text because you believe it contains important information. But this information is important to you, not the audience. Leave out text and use this information for the discussion.
5. Include a call to action
Don’t waste your executive leadership team’s time. They usually want to know if you need them to act, so don’t be shy—include a call to action. In my experience, you will be more successful if you have built a trusted relationship and keep cybersecurity simple and understandable for them.
💡Tip: Ask for money and resources! Even if you need a budget increase, the benchmarks will help to show that you do not spend too much or that the money is well invested as it will help to compete with your competitors.
⚠ ️Trap: You’ve been too shy and did not ask for (enough) money.
I hope these tips help you prepare for your next board meeting. If you have any questions for me or if you have your own advice you’d like to share, please reach out to me on LinkedIn to chat.
With more than 20 years of international specialist experience, including CISO roles in Switzerland, Andy Schneider is the Field CISO, EMEA, at Lacework and is a member of several advisory boards. He holds several professional certifications, such as the C-CISO, CISM, CISSP, CRISC, and is also certified in ISO 27001 and ITIL V3.