Giving A Presentation To The Board

At some point in your CSO / CISO career you will need to give an update to the board. This could be monthly, quarterly or yearly depending on the size of your company. Wondering where to start? Here is a template I have found to be successful.

Practice Makes Perfect

If you are new to presenting or are an experienced veteran I highly recommend creating your presentation and then writing down what you are going to say in the speaker notes. Practice the presentation, transitions, etc. until you can do it without reading the slides and so the presentation sounds natural. Record yourself and watch it a few times to catch yourself saying “uh or uhm” and to see what you will look or sound like from the perspective of the audience. Give the presentation to a family member or friend to get their opinion on how to improve. The more you practice the more relaxed and prepared you will be when in front of the board.

Know Your Audience

I often see presenters assume the board knows (or wants to know) specific details about technology, products, services, etc. when presenting. In my experience they don’t. The board are not experts in your day to day operations. They are usually highly compensated executives trying to run large organizations and you are giving them a narrow window into your world. You need to highlight and raise things for them to anchor on or key into so they can orient themselves around making an appropriate decision with the information you presented. I keep technical information in back up slides in case one of the board members wants to go deep, but typically they want to know the following:

How Has Risk To The Business Changed Since You Last Presented?

This section will be a combination of global security trends impacting your industry and the current status of the strategic plan. I like to start out by giving an overview of whether our risk as increased, decreased or stayed the same since the last time. A graph is really helpful here and allows the board to orient their thoughts while you give a short introduction and explanation.

If you are just starting out with the strategic plan then this will focus more heavily on how you are planning to prioritize the security controls in the plan and when the board can expect results.

What Caused This Change In Risk?

Why did risk to the business increase, decrease or stay the same since last time? If risk decreased highlight the controls or process improvements the organization made to achieve this reduction. If risk increased tell the truth and then give your recommendation for how to manage or reduce this risk over a specific time period. This could involve asking for additional funding, personnel or even asking for a particular group, product or service team to focus on a particular area to make progress.

What Are The Top Three Risks To The Business At This Time?

You are the expert and the board wants to hear your opinion on this. These risks probably won’t drastically change between presentations, but I like to remind the board on the risks and then present a suggested plan to manage or reduce these risks in the Look Ahead section.

Metrics For Security Incidents

This is a good section to add metrics on number of security incidents, what caused those incidents, what was the time to resolution, etc. It may also be a good area to give a quick summary on progress with vulnerabilities in production, or maybe the after action results of a specific incident the board wants more information on.

Look Ahead

Lastly, I like to wrap up the presentation with a look ahead about what my team is going to focus on between now and the next board presentation. This could involve implementing new controls or technology to reduce a specific risk area. This is a good place to work in your investment asks. I typically give a list of 3-5 things, what they are, why they are important, what the ask is (if any) and the outcome I’m expecting once the things are completed. I tie these into the top 3 risks to the business and then give a short conclusion before asking if there are questions.

Unknown's avatar

Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

One thought on “Giving A Presentation To The Board”

  1. Pingback: Building A Security Budget To Address Risk – 370 Security Blog

Leave a comment