4 Common Mistakes CISOs Make When Presenting to the Board

Written by: Jeffrey Wheatman

Consider this: In one recent study, just 69% of surveyed board members said they see eye-to-eye with their CISOs. For many companies, this misalignment can be costly, especially as cyber attacks become more common, damaging, and visible. 

If CISOs want to drive impactful change around cybersecurity for their companies, they must find ways to better communicate, collaborate, and build trust with their board executives. To do so effectively, avoid the four following mistakes.

Mistake 1: Failing to Address Business Goals and Objectives During a CISO board presentation

One of the most common mistakes we see CISOs make when presenting to the board is leading with all sorts of “how” and “what” details — in other words, they get wrapped up in the details of what a risk or threat is and exactly how it works, without putting it in context of how it could impact the business as a whole.

Here’s a hard truth: None of the details you share matter without context. If the board doesn’t understand why the information you’re presenting is important, they’re unlikely to process the details you share with them. Even worse, the board may project their own confusion onto you and suspect that you’re too caught in the security weeds to understand the big picture of the business — making it harder to gain their buy-in and trust.

Do This Instead: Craft a Narrative

Instead of leading with “how” and “what,” tell a story or craft a narrative for the board. In practice, this looks like leading with the “why” and connecting your findings to business goals and objectives. Ask yourself: Why does the information matter to the board? In what ways does this information impact our business goals and objectives? What would happen to the company if we didn’t address this risk?

While each company has its own specific business goals and objectives, keep in mind that generally, most board executives care about three things: Money coming in, money going out, and who is accountable if something goes wrong. 

By putting risks in the context of how they impact your business at a high level, you can establish trust early with the board.

Sample Talking Point

Try this: “I know managing cash flow is a top priority this quarter, which is why I’m bringing up the risk of spear phishing (targeted attacks at privileged users). We have seen a huge uptick in financial fraud using phishing as a vector. If left unaddressed, it is fairly likely that spear phishing targeted at staff in accounts payable can severely impact our cash outflows by millions of dollars. 

Our team is already combatting spear phishing by implementing additional training, AI-enabled fraud detection, and new processes to manage approvals of high transactions, but we need your support at the higher levels of executive management. Many line managers view our work as a hurdle to “doing business,” but we strongly believe these controls will dramatically limit our risk exposures with minimal impact on productivity. We will draft a one-pager for your signatures so the business understands how critical this is.”

Instead of this: “Our company saw 20 reported phishing attempts last quarter, 25% via email, 50% via text, and 25% through phone calls. These phishing attempts targeted the finance, marketing, and engineering departments. We need to improve our protection around phishing.”

Mistake 2: Overemphasizing Threats Instead of Risks

One unfortunate truth about cybersecurity is that there will always be a new threat to combat. While many security professionals understand this, board members aren’t interested in seeing a laundry list of threats and fear, uncertainty, and doubt (FUD). 

As a result, spending your time with the board educating them about every new threat out there — whether it impacts your business or not — can create a form of “threat fatigue” that leads to complacency and desensitization. Coming to each board meeting with a list of new threats can, in turn, position you as “the security leader who cried wolf.”

Do This Instead: Work Backwards from Business Goals

Remember, cyber threat intelligence is information on a cyber threat, whereas risk intelligence is information on the risk a threat poses to your business. At the end of the day, mitigating a threat to your business usually requires a tactical response, not a business response. Instead of bringing threats to the attention of the board, focus on risks to your organization that require business action to mitigate. 

In practice, think of it this way: You can communicate the threat landscape (e.g., We saw an uptick in business email compromise) rather than the threats themselves (e.g., email compromise). Then, create clear linkages between the threat landscape and business impact. From here, you can go into more specific detail and requests, if needed.

Sample Talking Point

Try this: “There’s a new ransomware group targeting companies of our size in our industry. If we get hit, the bad actors will steal regulated data, which will result in fines, loss of trust, loss of customers, and possible litigation. A typical ransomware attack results in operational impacts such as downtime, supply chain disruption, and reputational damage. We have also seen ransom demands increase by 20% over the last three years.”

Instead of this: “Five new ransomware groups are on the rise this year. Here are details about each.”

Mistake 3: Assuming the Board Wants All the Details

As a CISO, your experience and expertise can be a blessing — as your knowledge can guide big decisions around your company’s security. The key to a productive conversation with the board during your CISO presentation to the board of directors is making sure that your expertise doesn’t become a curse, too. Often, we see CISOs failing to connect with their board members because they fill their presentations with too much detail.

The reality is that your board wants to understand the big picture: It wants visibility into high-level trends and patterns, how things are changing over time, and to what extent something impacts revenue. What they don’t want to hear about are tactical details, controls, and processes, such as how many missing patches the company has or what percentage of your data isn’t encrypted. While you may find these details to be compelling proof points, your board likely does not have the expertise to put this data into context.

Do This Instead: Flag Trends and Patterns

Historically, if your board members are fiddling with their phones or zoning out, that’s your cue to zoom out. Next time, instead of focusing on the details, show your board that you’re focusing on big-ticket items that might materially impact the business. Instead of focusing on specific numbers (such as the number of patches your team has completed) focus on the trend (our team’s speed in patching critical systems is increasing quarter over quarter). 

Not sure if you’re providing the right level of detail? Run your presentation by someone outside the security department before your meeting to figure out where you’re shooting too high or too low.

Sample Talking Point

Try this: “To ensure seamless customer experience and manage to our risk tolerance, we have committed to patching business critical systems within 48 hours. Over the last 90 days, we have improved from 67% compliance with the stated target to 90%. Due to technical limitations and asset scope, we believe 90% is as good as we’ll get without significant investment in headcount and tools. To be honest, we believe we are within our risk tolerance and are at the point of diminishing returns at any target beyond 90%. In other words, it will cost a lot to get any better, and this will not improve our risk posture.”

Instead of this: “We identified 95 vulnerabilities last quarter, which is 25% more than the previous quarter.”

Mistake 4: Not Including An ‘Ask’

Even if you tell the most compelling story around a specific risk and your board is hanging on your every word, you can’t call a meeting a success if nothing comes of it. One of the most agonizing mistakes we see cybersecurity leaders make during a CISO presentation to the board of directors is forgetting to ask the board for the thing they came there for in the first place. And more often than not, the chances of the board taking action without a clear ask are slim to none.

Do This Instead: Conclude with a Specific Request

If you need something, ask for something. Make sure you wrap up each meeting with the board with a very clear, actionable request. This can be anything from:

• Can we add 10 minutes to the agenda to discuss [risk] in future meetings?
• We’re drafting a new charter, can you authorize this as a group by [date]?
• Can you support us in launching a cross-functional cyber risk management committee, so we can stay ahead of the curve?

Black Kite Helps You Prep for CISO Board Presentations

Black Kite automates the process of providing real-time and accurate risk intelligence, so you can make more informed decisions. Black Kite’s platform lets you quantify risk, so you can better communicate a risk’s potential impact in terms that your board understands.

Need help prepping for your next board meeting? Check out this deck template (PDF Version & PowerPoint Version), which includes a set of slides you can customize for your next CISO presentation to the board of directors, and my walkthrough video where I use these slides to report a real-life example to a board.