How to Present Your Cybersecurity Program to the Board of Directors

January 22, 2018 | BY Apptega

Updated 12/16/19

Overview

As the CIO, CISO or a member of the IT team of your company, you know how important it is to have a quality cybersecurity program that’s not only effective but can be easily reported to your Board of Directors and other stakeholders. However, the people who make up your Board, and who ultimately make the decisions of the company, might not truly understand how cybersecurity works. Yet, they read the Wall Street Journal, watch the news, and are exposed to the ramifications of cyber attacks daily and are trying to connect the dots to their personal and fiduciary exposures. As the pressures of Board accountability increase, so will your role in presenting your organization’s cybersecurity program. Trying to explain your cybersecurity program to your Board of Directors can be difficult and daunting.

Today, in many cases, the Board carries the highest responsibility for the cybersecurity of your company, as was discussed by SEC Commissioner Luis A. Aguilar in a speech delivered in 2014, and which was posted on the U.S. Securities and Exchange Commission site. He closed out the speech saying that board oversight of cyber risk management is “critical to ensuring that companies are taking adequate steps to prevent, and prepare for the harms that can result from such attacks.”

Learning How to Speak to the Board

One of the first things you need to do when presenting cybersecurity to the board is to remember that most of them will not know highly technical terms and jargon that you might be accustomed to speaking with others in your field. Therefore, you need to change your approach when speaking to them. You will want to focus on risk management, with hard data and visuals to back it up, while connecting to the top line and bottom line for the company.

Starting off, you should start by providing them with background on cybersecurity and why it has become so important. There may be some board members who do not realize just how dangerous the world has become, or the dangers it can pose to their company – and their finances.  Talk with them about the major types of threats that could affect the organization. Threats are constantly changing, so giving them “ah-ha” recent examples and relevant case studies will grab their attention. Explain what each of these are and what it could do to their company. How could it affect your brand and shareholder value? Provide examples of other companies in similar areas that may have suffered from various cyber attacks and highlight what happened to those businesses.

The board is likely familiar with the operations of the company, so explain how various cyber attacks could affect those areas. What would happen if proprietary information were stolen? What would happen if customer and client financial information and credit card numbers were stolen? It would cause many of those customers to do business elsewhere, for starters, and this could severely damage their bottom line and reputation.

Discuss programs and methods that can help to reduce or eliminate these threats, and highlight what a difference they can make for the company’s ability to serve its customers and build (and preserve) a good reputation.  After all, companies that are willing to invest in cybersecurity methods are viewed as having their clients and customers interests in mind as much as their own.

Show your Board the programs that are currently in place at the company, and your road map for continuously preparing for future threats. Showing real-time charts, dials and data are what Board members are accustomed to seeing. You can also provide an overview of improvement opportunities to keep your organization ahead of the game and what can be done to boost security further. This is a great opportunity to get buy-in from the Board for additional operating capital to support your cybersecurity goals.

Finally, your messaging should not be about FUD alone (Fear, Uncertainty and Doubt).  Board members will tune out and lose interest. Wrap up your Board presentation by pointing out that cybersecurity can be proactively communicate early in sales cycles with potential customers to help deals close faster and with a lot less scrutiny at the final hour.  Keep track of how many new customers and their revenue you and your team helped close due to your participation in sales calls and the success of your cybersecurity program efforts. That will get noticed – big time.

Preparing for Your First Board Presentation

The first step in the process of crafting a good board presentation is to understand the board's interest in cybersecurity, and to develop a plan for speaking intelligently to that concern. 

According to a recent article published on SecurityCurrent.com by Dave Mahon, Chief Security Officer of CenturyLink:

There are three primary reasons for today’s heightened level of cybersecurity awareness in the boardroom. One, it has come to directors’ attention that there are litigation risks associated with an organization’s cybersecurity and information protection programs. The Target Corporation breach in 2013 led to the company’s CEO and CIO resigning and the directors themselves facing litigation from angry shareholders. Today, most members of corporate boards want to understand the organization’s security posture and their potential exposure to litigation.

A second issue that has caught the board’s attention is that, in 2011, the SEC issued guidance on material risk that must be reported in your company’s 10Q and 10K reports. When there is material risk related to the state of the security of your network or the potential impact of a major cyber incident, it must be included in these reports. Enforcement of this requirement began in 2014, and so the board is now involved in understanding cybersecurity risk to stay in compliance with SEC reporting requirements.

A third development that has come to the board’s attention is cybersecurity insurance. A large corporation typically has an insurance portfolio managed by a director of insurance. This director probably makes an annual all-insurance portfolio presentation to the board, and directors have recently seen cyber insurance added to that portfolio. Given that a cyber insurance policy can be a significant cost, directors will want to understand the risk it is compensating for.

Over the past 12 to 18 months, these three issues have all become independent board meeting agenda items. In addition, many board members take training from the National Association of Corporate Directors (NACD), which of late has been instructing members about cybersecurity, governance requirements, and board responsibility. Thus, the board is hearing about cybersecurity long before you are asked to present. With that in mind, you might be invited to make a presentation, or to answer specific questions, or both.

Think of understanding your boardroom as similar to understanding a target audience as a company. The more you know who you're speaking to, the easier rite i'll be for you to target your message and knock them out of the park. If you don’t understand the board’s concerns fully, consider pulling back on your presentation until you do. This is not an area you want to venture into unprepared, and it’s not something you can afford to do only halfway. Know their concerns and go in ready to cater to them, or don’t go in at all. 

5 Tips for Effectively Presenting Your Case

Today, 42% of leaders surveyed by the National Association of Corporate Directors reported that cybersecurity is one of the five most serious concerns they’re facing — behind only changes in the regulatory climate and an economic slowdown.

Because of this, security executives around the world are going before board to brief leaders on the risks and strategies associated with cybersecurity, and what can be done to mitigate dangerous consequences. , even as the cybersecurity climate continues to shift and change, and your organization continues to grow. 

Despite this increased focus on cybersecurity, many board members feel they’re not getting the information they need from security officers. The issue is not a lack of importance, but simply mismatched communication styles. With this in mind, follow these five tips to ensure your beard is getting the information they need, and that you’re delivering your message effectively:

1. Do more prep work

Executives today are expected to prepare written reports for distribution to their board members before they represent directly to the board. While you may think that a bit of advanced research is sufficient, you’ll benefit yourself and your team by doing more focused prep work and preparing as much as possible ahead of time. 

2. Offer an Assessment

When you present to the board, inform them honestly about where your cybersecurity efforts are now, and where they need to be. To help them understand the ins and outs of the greater security landscape, be transparent about new risks and opportunities to improve, as you see them. B

It may even be helpful to present a few case studies to help people understand how your company is using (or not using) cybersecurity efforts. To continue your reputation for transparency, be sure to build on this information every time you speak with the board, since this provides a realistic and ongoing image.

3. Be Honest

As you draw up your assessment, be sure you're being upfront and communicating relevant information to your board members. The more straightforward and accessible you can be now, the better-prepared you’ll be to help board members understand their enterprise risk, what needs to be done, which tools are essential for your organization and its security needs, and how extensive the investment will be.. 

4. Prepare to Answer Difficult Questions

The last thing you want when presenting to the board is surprises. Not only do surprises undermine your credibility, but they can derail your cybersecurity efforts. With this in mind, spend some time preparing for the tough questions board members may ask. 

Pay special attention to potential questions like “How good is our security?” and “Are we safe from future attacks?” These questions illustrate underlying anxiety in board leaders, and are an excellent opportunity for you to showcase a solution or introduce an approach that can help make everyone feel secure, once more. 

5. Avoid Scare Tactics

According to CSO Online:

“CISOs see the growing volume and increasing sophistication of cybersecurity attacks, so it’s not surprising they seek to share such information with their boards while explaining the resources they need to counteract all those threats.

Boards certainly want data, but they want that information in ways that allow them to make informed decisions about where to best place their security investments to mitigate their greatest risks.”

 

Ongoing Presentations

Your initial presentations are just the beginning. You’ll want to make sure you continue to keep the board updated with issues and opportunities relating to cybersecurity, and to make sure they receive the education they need on current threats and the benefits of your ongoing program.

Let the Board know what you and your team have done to address cybersecurity since the last update and new methods and tools you’re implementing. The board should be “clued in” by this time and will have a better understanding of how and why certain things may be essential for the workflow, security, and growth of the business. You can also update them with accountability metrics that you are following, such as compliance scores, audit findings, policies, and training programs.

How Apptega Simplifies Board Reporting

One of the great features of Apptega is its powerful reporting tools that are tailor made for Board presentations. You can show the Board the end-to-end story of your cybersecurity program including real-time compliance scores, what you have achieved over time, areas of strength, areas for improvement, project life cycles, and future implementation road map for the next 12 months. Crisp dials, graphs and charts are exported into PPT and reporting templates are provided to match expert industry practices. Reporting through Apptega is generated in minutes, instead of hours and days.

Fill out the form in the section below to learn more about how Apptega makes presenting cybersecurity to a Board easy.