Who Should Read This
If you’re a CISO or security leader preparing to brief the board of directors, this post covers both the substance and the style: what board members expect, how to frame risk in business terms, and how to walk out with the support you need.
Introduction
It has become increasingly important to have cybersecurity initiatives receive board recognition and CISOs must be able to clearly communicate those plans and goals to the board. Today’s ‘cyberscape’ is constantly evolving and with that comes threats—particularly financially motivated and data stealing attacks. With security breaches regularly making headlines in mainstream media, CEOs, Boards of Directors (BoD) and agency heads are focusing on cybersecurity and looking for answers from the CISO.
Briefing the board of directors is an opportunity to proactively improve the visibility security receives and gain support for strategic security initiatives. However, it is also an opportunity to make mistakes that hurt a career.
What Board Members Expect
In order to take advantage of the opportunity to brief the BoD, CISOs need to understand the expectations board members have when they hear from any C-level corporate executive. Some CISOs may feel a sense of disconnect with their board of directors and must learn to effectively communicate cybersecurity to the board in a way that is not overly technical. CISOs should have regular dialogue with the board and be prepared to have a part in almost every board meeting.
However, communicating to the board is more of an art than it is science. Effective communications to the board requires both meaningful data and a communications approach and style that work to actually influence BoD member's discussions and recommendations and to drive the change necessary to make advances in corporate cybersecurity.
For smaller organizations, that don’t have a board of directors, there should be at least a committee or council made up of the people who manage the different functions of the organization that the CISO can approach.
Communication Style and Approach
A CISO must go into the board with a business head — it’s about 70% listening and 30% suggesting a solution. The most valuable things you can give board members is honesty, expertise, respect for their time, and clarity about what you want. Most board members will be prepared as soon you enter the room and will have read the read-ahead before the meeting. Board members are time constrained and the CISO is just one thing on the agenda.
It is recommended to begin with the BLUF – Bottom Line Up Front. Don’t just tell a story or walk board member through PowerPoint slides, give context and demonstrate how it relates to what’s happening in the industry.
In the Room
CISOs must be engaged and be engaging while also conveying the basics of presentation delivery, such as having good eye contact and being articulate about things that are important to the business. Don’t use jargon and don’t read slides or a script off of an iPhone. When speaking with the board don’t present. The meeting should be a conversation not a presentation. Remember to monitor your cadence, slow down if talking fast.
If you must use a PowerPoint, add visuals that add to the understanding and the least amount of cognitive load. A CISO must look at the data and see what the data tells. This method is a much more honest way of going about it than cherry picking data that supports some narrative. Anticipate questions the board is going to ask and incorporate them into the presentation. If you are addressing the board in a group, know who will answer what. The more relaxed you are, the more you can convey how to help them solve a business problem. Lastly, don't forget to enjoy yourself and stay positive about your discussion. This is your moment to shine!
SEVN-X provides vCISO and advisory services that help security leaders communicate risk to the board effectively. If you need help framing your security program in business terms or preparing for a board presentation, we can help.
FAQs
Lead with the bottom line: what the risk is, what it means to the business, and what you need from them. Avoid technical jargon. Frame security in terms of business risk, not control frameworks. Keep it conversational, not a presentation. Board members want honesty, clarity, and respect for their time.
Business impact, not technical details. Board members want to understand risk in terms they can act on: what could go wrong, what it would cost, and whether the organization is positioned to respond. They want confidence that the CISO understands the business, not just the technology.
CISOs should expect to have a presence at almost every board meeting, not just annually. Regular dialogue builds credibility and allows the board to track progress on security initiatives over time. Consistent cadence combined with clear metrics makes each interaction more productive.