Over the past year or so, board members have become more aware of cybersecurity and their responsibility in this area. As a result, more security officers are being invited to present at a board meeting for the first time. Perhaps you are one of them.
If you are a CSO or a CISO and you have limited or no experience in presenting before the board, there’s a process by which you can educate yourself and be as prepared as you can be. I read once that every time you make a board presentation, it takes 175 hours to get ready for your time in the spotlight. In my experience, I’d call that a low estimate of the true prep time. In other words, give yourself a lot of time to prepare so that you are ready for whatever questions come your way.
Understand the board’s interest in cybersecurity
The first step in the process is to understand why you are being asked to talk to the board. You need to understand your audience and what they expect to hear. Board members’ interest in cybersecurity is definitely on the rise, and here’s a bit of the backdrop on why.
There are three primary reasons for today’s heightened level of cybersecurity awareness in the board room. One, it has come to directors’ attention that there are litigation risks associated with an organization’s cybersecurity and information protection programs. The Target Corporation breach in 2013 led to the company’s CEO and CIO resigning and the directors themselves facing litigation from angry shareholders. Today, most members of corporate boards want to understand the organization’s security posture and their potential exposure to litigation.
A second issue that has caught the board’s attention is that, in 2011, the SEC issued guidance on material risk that must be reported in your company’s 10Q and 10K reports. When there is material risk related to the state of the security of your network or the potential impact of a major cyber incident, it must be included in these reports. Enforcement of this requirement began in 2014, and so the board is now involved in understanding cybersecurity risk to stay in compliance with SEC reporting requirements.
A third development that has come to the board’s attention is cybersecurity insurance. A large corporation typically has an insurance portfolio managed by a director of insurance. This director probably makes an annual all-insurance portfolio presentation to the board, and directors have recently seen cyber insurance added to that portfolio. Given that a cyber insurance policy can be a significant cost, directors will want to understand the risk it is compensating for.
Over the past 12 to 18 months, these three issues have all become independent board meeting agenda items. In addition, many board members take training from the National Association of Corporate Directors (NACD), which of late has been instructing members about cybersecurity, governance requirements, and board responsibility. Thus, the board is hearing about cybersecurity long before you are asked to present. With that in mind, you might be invited to make a full presentation, or to answer specific questions, or both.
You’re on the meeting agenda. Now what?
The first time you are asked to address the board, you need to do your homework. Start with the obvious research by pulling the biographies on the board members. This can help you understand their backgrounds and their likely knowledge of security-related topics.
Next, consult with the person who organizes the content of the board meetings. In large companies, that is often the General Counsel or an assistant counsel. Ask what a typical board meeting is like. Find out which board members ask questions around risk or other topics you should be prepared for. When you learn who the people are and how the board thinks, you will feel more comfortable about the situation you are walking into.
Then there is your presentation to prepare. Keep it high level; don’t try to get into a granular discussion on your technology. What they most likely want to know – on a high level – is what your cybersecurity strategy is, what your vision is, what your top four or five objectives are, and how you know you are meeting those objectives. Also, most importantly, they want to know how what you do for the company enables the company to achieve its objectives.
Your presentation is also a litmus test…of you. The board is listening to you to gauge, “Do we have the right person in place? Does he or she have the right programs in place? How do we know if you are successful?” This is another reason to spend sufficient time to get prepared. You want to leave a favorable impression of your capabilities and leadership.
What to discuss?
What should you present in the 10 to 15 minutes of your agenda time? Take your lead from what the meeting organizer tells you the board members want to hear. You could be called upon to give a broad presentation on your cybersecurity program, or to have a focused discussion on a particular topic.
One question that often comes up is, “How do we compare to other companies in our industry?” You need to figure out how to answer that question. If you’ve recently had some benchmarking done by a third party, the answer might come easily. Otherwise, it might involve lots of discussion with your peers to make your own assessment.
If you use a slide deck, be aware you’ll need to finalize it about a week before the meeting date. This gives the directors time to scrutinize your words and think about questions they will have for you. Speaking of your words, look at each word on the slide and ask yourself, “Is this exactly what I mean to say?” Don’t leave things open for interpretation, and don’t use inflammatory words. For example, you might show the importance of a security event by using the word “critical.” To a director, “critical” means the company is in cardiac arrest and is getting ready to go under. Your use of that word means that something is about to sink the ship. Choose your words carefully.
If you don’t know what to include in an overview presentation, here’s a tried and true format that ensures you have a brief, yet comprehensive presentation:
Use five slides:
- Your vision and your top 5 strategic objectives.
- An org chart to introduce your team and their areas of responsibility.
- Your key initiatives, how each one ties back to your strategic objectives, a target completion date, and percentage that’s complete.
- Where you are relative to your industry overall.
- Your roadmap.
If you want, you can add a slide with a few key metrics and their explanations.
Find out what other CISOs present
You aren’t the first CSO/CISO who is being asked to present to the board. Talk to your peers outside of your company to learn about their experiences: what they have presented, what questions were asked of them, etc. There’s no need to recreate the wheel if you can borrow from someone else’s success. Security Current can help you make connections to your peers.
In conclusion…
If you do your prep work and you know your stuff, you can have a good – even enjoyable – experience presenting to your Board of Directors.
About the author
R. David (Dave) Mahon has served as chief security officer for CenturyLink, Inc. since April 2011. He has the privilege of talking to the CenturyLink Board of Directors every quarter.
As CSO for the third-largest communications provider in the U.S., his responsibilities include enterprise-wide security strategy, information security, cyber defense, critical infrastructure protection, physical security, network fraud and abuse, industrial security, international travel security, threat intelligence, workplace violence prevention, executive protection and investigations. He is also the company’s liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.