The surge in cyber-attacks has driven the awareness and importance of cybersecurity. Yet, many CISOs are struggling to capitalize on them while delivering presentations to the board.
The rapid surge of cyber-attacks has prompted organizations to prioritize cybersecurity now more than ever before. Business executives across the board, thus, continually ask their CISOs to provide and update them about the latest cybersecurity risks. For CISOs, this increased concern from business leaders has presented them with an opportunity to help the board better understand the value of cybersecurity. Additionally, CISOs can persuade them to support their initiatives and help them build fool-proof security strategies. Yet, many CISOs still fail to capitalize on this cybersecurity strategy.
In fact, many CISOs fail to present their views on cybersecurity that align with the goals of business executives. While there is no doubt that CISOs across multiple industries and organizations have their own set of unique challenges to present to the board, they still make some common mistakes while giving a presentation to them. They should plan their presentation that seamlessly gets their message across to the board while inciting confidence in cybersecurity.
Here are a few mistakes that CISOs should stop making right now while giving presentations to the board:
Speaking in technical terms
Most stakeholders on the board are individuals who have little to no understanding of the technical aspects. Hence, while delivering a presentation to the board, CISOs should develop a good understanding of the risk appetite of the board members and should speak about relevant risk metrics in monetary terms. Most board members want to know the business impact of security risks and investments. Instead of concentrating on technical details and costs of new technologies, CISOs should brief them about how investment in these technologies has business risks.
Heavily relying on cyber risk reporting
CISOs rely on multiple tools that are focused on the aggregation of operational activities, vulnerability remediation efforts, or even one-size-fits-all measures for creating cyber risk posture reports. But, not all security reporting tools are created equal; the risk scores of these tools lack the variation and context required to make them actionable. Instead, CISOs should concentrate on things that their organizations care about. They should map the specific assets that support them and assign risk in terms the board can understand.
Not discussing breaches
Today, more and more board members recognize the inevitable nature of security breaches. Therefore, CISOs should strategically discuss cybersecurity breaches to familiarize the board with risk and incident response strategies and procedures. They should talk about the public breaches and describe how a similar attack can be managed within the organization.
Demonstrate how the cybersecurity team can prepare for various potential outcomes in the event of security breaches. CISOs should also discuss near misses within the organization, a sensitive topic but one that can provide the board with an educational experience.
Not preparing for questions from the board
Not being ready with appropriate answers for potential questions from the board is an open invitation to trouble. CISOs should remember not to get caught off guard by questions they cannot answer. Along with creating the content for the presentation, CISOs should think about what questions the board may ask them and prepare it in advance. Another step they can consider is notifying the member about the prepared content as well as the potential questions that may arise about the presentation. While it is not possible to prepare for uncertain questions, this process can help them to build trust with the presentation attendees.