7 mistakes CISOs make when presenting to the board

Corporate boards are asking their CISOs to inform them more often about cybersecurity risks. This gives security leaders an opportunity to help senior business stakeholders better understand security’s value and makes them more likely to support and strengthen security strategies.

However, talking to the board about cybersecurity in a way that is productive can be a significant challenge, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Here are some common mistakes that CISOs make when speaking to the board, along with advice for avoiding them.

1. Using over-technical security language

“When presenting to the board, CISOs need to be careful about the language they use. If they are too technical, they will lose their audience,” Michael Tamir, CISO at Cyren, tells CSO. Directors are rarely security experts and using overly technical jargon is going to be counterproductive, he adds.

“Board members don’t like things they don’t understand, and most are multitasking a thousand different things in their heads, so, perceptively, they have short attention spans,” agrees Information Security Forum analyst and former CISO, Paul Watts. CISOs must translate the deeply technical into business terms where possible and explain things they cannot. “Be as succinct as you can, use a sensible pace, and visualize rather than using lots of words.”

2. Focusing on the wrong threat impacts

CISOs should ensure that threat messaging never strays far from the business impacts to the organization, says CyberGRX CISO, Dave Stapleton. “A CISO may understand why a specific code library dependency presents a threat to an internet-facing asset, but this is likely too far in the weeds for the board of directors,” he adds.

Sounil Yu, CISO at JupiterOne, agrees. “CISOs often speak Greek when the rest of the board speaks in dollars and common sense. To connect with the board in a language they can understand, CISOs should focus their messaging on how security enables the business to enter new markets, execute on new initiatives, and quantitatively reduce annual loss exposure.”

This is where knowing what key performance indicators (KPIs) the board measures and being able to assess the impact of threats on those KPIs can be particularly helpful, says Rob Dartnall, UK council chair at information security accreditation and certification body, CREST. “Being able to relate the threat risk to the impact on a business service or the board’s main strategies and objectives is powerful,” he adds.

Security concerns that deserve the board’s attention should be framed with context into how the threats, if unaddressed, can hinder business growth or introduce unacceptable levels of operational or business risk, concurs Yu.

Regarding the code library threat example cited above, Stapleton says a security leader is far more likely to capture the attention of the board by talking about enterprise software supply chain risk and describing the return on investment (ROI) expected from implementing a code dependency analysis program.

3. Relying on out-of-box cyber risk reporting

CISOs often report cyber risk posture based on what their tools tell them, which typically focus on aggregates of operational activities, vulnerability remediation efforts, or even one-size-fits-all measures, says Peter Prizio, CEO at Booz Allen Hamilton threat intelligence spinout SnapAttack. “However, this is missing the mark. Not all risks are created equal, and those risk scores lack the nuance and context required to make them actionable.”

Instead, Prizio says CISOs need to zero in on the things the company cares about most, such as maintaining its reputation, protecting the crown jewels, or continuing operations. “They then need to tie in the specific assets that support them and assign risk in terms the board can understand.” He also warns against using compliance objectives to measure and quantify risk, as showing progress against regulatory requirements is not the same as communicating the true risks a business faces.

4. Failing to prepare for potential questions

“Board meetings are not a great place for surprises,” says James Nelson, vice president of information security at Illumio, and CISOs need to avoid being caught off guard by questions they can’t answer. “Preparation should include not just generating the content in your slides, but also thinking about what questions the board will potentially ask you and considering your answers ahead of time.”

Nelson advises apprising any executive team attendees of both your prepared material and the questions you think will be asked, as well as how you plan to answer them. “They will know you can’t guess them all, but the process can help build trust,” he adds.

5. Oversharing and security scaremongering

A boardroom is not the place to unburden yourself, although it can be tempting when you feel the collective burden of everyone’s risks on your shoulders, says Watts. “Don’t be the prophecy of doom, and be very careful when using fear, uncertainty, and doubt (FUD) as a weapon of leverage—it can come back to bite you.”

Instead, explain why you think a problem exists, and follow that with solution options, your recommendations, and their associated benefits, Watts continues. “Do this as a package.”

It’s also key to avoid segues into other debates as they surface during conversations. “Take a mental note, park them, and come back to them,” Watts says. When it comes to giving bad news, avoid allegations or confrontation during delivery. “Prepare the audience in advance to soften the blow. Boards do not like surprises —especially bad ones.”

6. Presenting cybersecurity as a cost center

“A common mistake made by CISOs when speaking to the board is not addressing the outdated view that security is a cost center,” Mandy Andress, CISO at Elastic, tells CSO. “That mindset must change, and CISOs should help the board see security as a business enabler that facilitates growth and innovation.”

Jasmine Henry, field security director at JupiterOne and a former CISO, concurs. “Security leaders often approach board meetings hoping to win additional resources and budget. While it can be tempting to make a case for security investment by presenting a complex laundry list of technical needs, CISOs should consider how to change board member perceptions of security as a cost center,” she says.

CISOs can win board endorsement by presenting evidence that security is a revenue-driver instead of a costly function, and this can be achieved by quantifying the bottom-line impact of security on profitability, Henry adds. “Important metrics include security’s involvement in the sales process, the velocity of completed sales security questionnaires, and the total revenue value of all customer contracts that include security and compliance obligations.”

Likewise, if outages or costs are occurring due to a particular type of attack, relaying what the increased profit would be, based on removing that threat, can be helpful, says Dartnall. “An example would be: We refunded £XXm in fraud against our clients based on Y attack type. By implementing this control, we will recover £Xm in lost revenue,” he says.

7. Not investing in relationships outside the boardroom

Matthew Smith, divisional director, cyber and information security at St. James’s Place Wealth Management and ClubCISO member, says that CISOs can be guilty of failing to engage with board members outside of the formal board context. “Understanding your audience’s personal and professional motivators helps you more succinctly land any message or content you are presenting upwards,” he adds.

Often having context or addressing issues outside of the formal channels helps build rapport and ensures that your content is suitable and relatable to those you want to influence or impact. This is something Watts agrees with. “This is stakeholder management 101: Research your board, understand their motivations, and find boardroom allies, especially non-technical ones who can help you stress test pitches in advance. When it comes to getting business cases signed off, divide and conquer: take complicated or big-ticket pitches to them all individually and work out the wrinkles well in advance,” he says.

CISOs can then leverage the outcomes of these conversations to isolate any dissenting voices with a consensus of buy-in from others. “Make them all feel like they’ve contributed,” Watts says. “You need to be a politician, salesman, account manager, matchmaker, and mediator.”