There's no business like show business
Presenting to the board of directors has become an ongoing reality for many CISOs and senior security professionals. That cybersecurity has been elevated to this level of discussion is at once positive (businesses are finally taking security seriously), negative (security incidents have grown so ubiquitous that everyone is afraid of falling victim), and stress inducing (“How do I present what the board wants or needs to hear”). The specifics of what should be included in each company’s presentation depends on the individual company, the company’s threat landscape and accompanying risk tolerance, time allotted for the presentation, and the board’s interests/company growth strategy, but some general rules of thumb for what to avoid will help keep your presentation tight and ensure your audience doesn’t pay more attention to incoming emails and texts than what you’re saying.
Everything about it is appealing
For security practitioners, the most interesting part of the job is often the technical details of what’s happening—from the alerts coming out of your SIEM or firewalls, to cyber threat analysis and learning about new vulnerabilities in implemented software or hardware. But rest assured: no one on the board is as interested in these details as the security team, and using role-specific terminology throughout your presentation will only serve to make non-security pros glaze over, says James McQuiggan, Product & Solution Security Officer at Siemens. What the board really wants to know is the impact on business—what is hindering forward progress. Therefore, spend your time presenting information that can be translated into business and risk terms.
If speaking security lingua franca becomes necessary to illustrate a point or describe a risk scenario, McQuiggan recommends turning technical jargon into something easily understandable by a diverse crowd whose areas of expertise are outside of technical security. Instead of speaking down to your audience, use relatable analogies or basic explanations. Be prepared to have to drill into specifics, warns McQuiggan, and know that the conversation can easily derail if you don’t have a plan to bring it back around to your main content. What you definitely don’t want to do is allow your presentation to be hijacked, forcing you to spend your allocated time explaining technical jargon rather than showing how security is helping the organization drive business (or where it needs help to propel business further). This trap is all too common in security board presentations and has earned security teams the reputation of being disconnected from the business.
Too much visual input
Slide decks can be a great takeaway for your audience, especially if you’re given a minimal amount of time for your in-person presentation. That said, many presenters make the mistake of cramming the leave-behind chock full of text, charts, and visualizations, believing that what they can’t get to during the live event will be available for audience members after the presentation concludes. Nine times out of ten, your board of directors will not revisit your handout(s) following the presentation, and a huge amount of gobbledygook will make the live presentation less effective.
Showing an “eye chart” to the board will be distracting; your audience will either spend the time trying to read what you’ve written and stop listening to what you’re saying, or they will gloss over both your spoken and written words as they attempt to listen and read at the same time, in both cases, causing loss of focus.
Instead of cramming your slides with information, advises McQuiggan, “KISS: keep it smartly simple. Use images or charts to provide clarification,” and don’t confuse “more” with “better.” Instead, fit your remarks—and accompanying materials—to fit the time slot provided. If you have more information to share, tell the board! Let them know additional time is necessary to fully explain a situation or state of affairs. That said, it’s likely that you’ll find your presentation improves as you shore it up.
A loose agenda
You might know exactly what you’re prepared to talk about during your 10, 20, or 60 minutes of assigned time, but no one else does. Even if you were asked to review X, Y, and Z, with everything else on the board’s agenda, it’s very helpful to clearly show the plan at a high level, “so they know what they’re in for,” says McQuiggan. Not only does a succinctly-stated agenda provide a preview of what’s to come, but it will help keep the discussion moving forward in alignment with that needs to be covered.
When faced with a block of time, it’s easy to ramble on about one topic versus the other, or veer off in a tangential direction then miss a salient item. Before you dive right in to your presentation, “use bullet points to explain your goals,” says McQuiggan, then refer back to them throughout to ensure you’re on target.
In some cases, the discussion will need to take a turn and/or you might not finish everything you’ve prepared. If the board deems a particular topic worthy of deeper probing, by all means work through that topic. Sharing your agenda at the start, though, is a guideline for what should be covered…at some point, if not during that initial meeting.
Ramblings and musings
Is there anything more annoying than sitting through a meeting where one person rambles on about what’s on his or her mind and doesn’t consider the rest of the group’s needs, concerns, or job responsibilities? Some people make the mistake of thinking that a presentation is an opportunity to steal the spotlight and talk about what they want to talk about. Especially when it comes to the board of directors, this could not be farther from the truth. Board-level presentations are meant to address business-critical topics, those which help or hamper operations. With your security presentation, before you even start putting together your presentation deck, learn the board’s interests in and goals for your presentation, then narrow your agenda to hit those “hot buttons.”
In addition, as with “using technical jargon,” going into excruciating detail or drawing out a point that’s already been made is a fast way to lose the board’s attention. Be precise in what you have to present—and make sure you’ve practiced your narrative says McQuiggan. Naturally you’ll need to be flexible—few board meetings run entirely uninterrupted—but rehearsing your flow ensures you’ll cover the pertinent points.
Fluffy (or lack of) takeaways
“Have a goal and an action item for the board,” offers McQuiggan. Remember, he says, that “you’re talking to the people that have the most power in the company, that can get things for you. Make sure your presentation is concise, to the point, and you have a request or follow-up activity for them.” Leverage your time wisely and make sure the board not only understands how the security program is running, how it’s helping the organization, and what further issues need to be addressed to improve the company’s overall cybersecurity risk posture, but also provide a call to action (CTA): something in which the board can participate. This CTA might be convincing the board to allow a security training program for the HR team, sign off on increased funding, or just mention security during the next company-wide meeting. It needn’t be a big ask, but gain the board’s support through active involvement.
Everything the traffic will allow
Presenting to the board may be stressful and require a ton of preparation, but it’s also an opportunity for the security team to gain greater awareness and backing for the security program. Don’t head into that meeting with the notion that you’re merely undertaking due diligence; use your face-to-face interaction with the higher ups to gain ground.
Every chance security gets to speak with others in the organization—especially those that influence the company culture and direction—is an occasion to help educate, recruit allies, and earn support. Don’t squander this opportunity by walking in unprepared. Instead, flip the switch and carefully plan your talk to address the needs of the organization, through simple, clear, and concise explanation, and with advice or recommendations the organization can use to drive business forward.