Reporting Security to the Board? Here are 4 Steps to Help You Prepare
Security is a top priority for boards, and how you report information to them will inform decisions and policies. Don’t go in blind. Get started here.
Four Steps to an Effective Presentation
Presenting to a board of directors can be intimidating for anyone, but employing some best practices and a few mental tricks can help you effectively navigate the event while getting the most important information across to stakeholders.
According to a recent post by Harvard Law School Forum on Corporate Governance and Financial Regulation, cybersecurity and SEC regulation and enforcement are two of the top 10 concerns for boards in 2019. They will be paying attention to your report, and they’ll need concise, meaningful, and clear information.
So, how can you best deliver? Try these four steps to effectively report your security program and operations to your organization’s board of directors.
Step 1: Understand Your Board
The board is responsible for the governance of the organization and represents shareholder interests for public companies. Primarily made up of non-employees, they hold the CEO and staff accountable. Their purpose is to obtain information from various departments within the organization and give actionable advice and feedback.
For them to do their jobs, it’s important for you to understand your board. Know how many (if any) internal employees sit on the board, and where other board members work. Find out what their organizations are doing for security, and whether there have been any major changes or disruptions to their programs.
Don’t forget: boards are made up of individuals. Know your audience. Know their names. Talk to others who have presented to your board and build profiles of your board members so that you can speak to them in context to their roles and expertise.
Many boards operate in committees with specific focuses on organizational priorities or goals. Before presenting, find out if your board utilizes committees for things like security, audits, or risk, and if so, who is a part of those committees.
Step 2: Know Your Purpose
It may sound silly, but it’s the most important question to ask: Why are you there? Before you begin to put together your presentation, you need to know what the board is looking for from you. Do they want a general update on the security program? Are you expected to debrief them on a recent security breach at your organization, or an issue in the news?
Once you know what they’re looking for, identify your own goals so that you know which metrics and information to provide. Do you want a bigger budget or more cost-effective information security? Do you need more resources or staff members? Are you looking to share wins and successes, or stay under the radar? Answering those questions helps you to tell a more effective story with the data you present.
Make sure to tie all of the information you provide to your organization’s top priorities and goals and show how your material connects to them. The board is mostly concerned about the company as a whole — not in an individual department. Does the data show that your department enables your company to meet its objectives, or prevent them from being interrupted? Whatever you do, make sure it doesn’t imply that your team is somehow working contrarily to the organization’s efforts.
Step 3: Put in the Prep Work
Before you start building the presentation, know what the meeting agenda will look like. Find out what other topics are being covered, and where you are in the speaker lineup. It’s also good to know who is speaking before or after you, and whether sessions are likely to run long.
Pull your metrics, analyze them, and figure out the story you want to tell. As you’re putting slides together, consider using reporting visuals like heat maps, metric tables, project plans and timelines, and third-party results to reinforce your commentary. Visuals keep things concise, easy to understand, and are much easier on the eyes than large blocks of data.
Practice your presentation and know your timing for each point. It’s great to have a strong game plan in place, but be prepared to adjust it on the fly. Know your one key point for each slide, so that if needed, you can shorten the presentation while still getting the most vital information out. Remember, less is more, particularly knowing that they will likely have a lot of questions for you.
Have your peers or superiors review the slides and once you have a final draft completed, send it to board members at least two days in advance of the presentation.
Step 4: Manage Your Expectations (and Theirs)
Knowing what to expect can help you mitigate any uncertainties, or at least get yourself in the right state of mind. Get comfortable with the idea that you will be delayed, have less time than expected, and run out of time to present everything. Understand that board members will have a variety of different points of view, so don’t expect them to immediately understand yours. They’ll ask questions you never considered, and demand action on issues you highlight or those they discover.
You don’t want to blindside or confuse them, so do your best not to use any jargon or complex terms and concepts. There’s no need to get into the weeds — they just need high-level information and will trust that your team has done its due diligence to provide the information accurately.
Whatever you do, don’t ask for money or resources. Let the data tell the story and communicate the need, and the board can come to that conclusion. They can influence those decisions at the leadership and enterprise levels, but they will not allocate.
When in Doubt, Work with the Experts
Have questions or need help compiling a strong, impactful presentation for your board? Inversion6’s CISOs for hire can assess risk, help to build comprehensive security programs, track metrics, collaborate on-site, compile reports, and even present to your board.
Contact us today to learn how we can help you create a high-performing security program for your organization.