Creating Impact In The Boardroom With Your CISO Reports
By Shirley O’Sullivan
All of us are, hopefully, still energised about presenting our CISO reports to the board. Perhaps this is your first time? As a CIO or Head of IT, information security may be just part of your role. Delivering a good presentation is a tremendous career opportunity, but also vital to security across the company. The Board will want you to highlight your successes, but also be clear about where improvement is needed and the risks and consequences of not doing so. You need to use language that is precise and unambiguous, finding the right balance of technical content. While planning the content of your CISO reports you also need to learn about your Executive Board, what their priorities and pain points are, how they think and how to land key points with them. This will require some research, especially if you haven’t previously had much contact with the board.
What NOT to Present
Having access to security intelligence tools, you will have large amounts of data under your fingers. As well as out of the box reports and dashboards, you can create customised output, bringing out precisely the points you need to make. Yes? Well, possibly. Dashboards are ideal for giving a snapshot of the current situation and trends, but you need to use them to support your message, not to head it up. Presenting to a non-technical group means that reports and dashboards may require too much explanation, distracting attention from your main points. It’s tempting to begin the presentation with a current news item with its potential consequences and costs. This may scare the board (not usually a good thing) but there’s a chance that an astute CEO may ask how much effort the hackers put into the theft and whether that is a realistic example for a your organisation. There are more relevant news items if we look hard enough. A laptop stolen from a hotel room or left on a train may be realistic threats, particularly if your company has high-value IP. The prospect of a memory stick or unsecured company mobile falling into the wrong hands may be a bigger risk. Documents and drawings, sensitive financial information; all of these can be present on a mobile device.
Knowing Your Executives
As with any presentation, understanding your audience is essential. You need to gauge the level of detail with which they are comfortable. Some boards will be happier with a high-level helicopter view, others may demand a rather more technical explanation of our security reporting & key risk indicators. You also need to consider the information they want to see and how that relates to their point of view. If your company is considering increased offshoring, for example, you may tailor the content towards global controls and risks. Alternatively, if the board is geared towards fiscal control, you may focus on how information security can reduce costs, and especially financial risks, in the long-term. Researching your executives preferences can be tricky; you may have met one or two of them, but you are unlikely to have regular contact with all of them. You therefore should enlist support and advice from trusted allies.
Joined-Up Security
Finding allies may also be important for another reason. It’s rare for information security to be totally within the grasp of ICT. Joined-up thinking means working with colleagues in other parts of the company, for example, employee induction and on-going training for strong passwords and email phishing. If you can demonstrate that your security strategy connects with other departments, you stand to gain allies, as well as impress the board with your approach. Of course, you will then need to agree the level of collaboration and preview the content with them.
CISO Reporting Content
As the Chief Information Security Officer (CISO), reporting to the board is an opportunity to highlight successes. This may be by comparing metrics with a previous point in time, or actual examples of the number of threats detected and stopped. You can use comparison as a tool to illustrate your key points. As well as historical comparisons, you can compare KPIs with other companies, or with industry benchmarks. You can use these to drive home points about where improvement is needed, and resources required. You need to temper success with the need to be vigilant, highlighting that the number and types of threats are expanding. Without unduly worrying the board, you should elucidate the risks to the business and what you are doing to mitigate and control them. The board will understand breaking a risk into its likelihood and the consequences of occurrence.
As well as your strengths, you need to be open about current weaknesses in information security and your plans to strengthen these. You will have discussed these plans with our allies, where relevant, in advance of the presentation. The presentation is not just about our view of the world. You may need to help the board to articulate its vision for information security, not least as a way of validating your technical strategy. The language you use in your CISO reports needs to be precise. An aggressive, sales-driven board may be used to taking risks and see it as a natural part of business. Similarly, words such as “catastrophic” are likely to have very subjective meanings.
Conclusion
Being a CISO may be your full-time role, or part of a CIO or Head of IT role. The profile of cyber-threats, their risks and consequences, however, mean you will likely be presenting to the board on this aspect. Presenting your CISO reports is a great opportunity to get face-time with the board and progress your career. Primarily, however, it’s a forum in which to highlight and validate your approach to information security and to take a steer from the people running the company. Done well, your CISO reports will help to cement information security into the company’s high-level strategy, and to make the business stronger and better protected from cyber-threats.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.