Developing and carrying out effective board of director (BoD) presentations is a crucial skill for information risk and security leaders and professionals. Presentations provide an opportunity for individuals to have an audience with leaders that they do not typically interact with on a regular basis but have significant influence on their activities, strategy, and funding. BoD members typically have fiduciary, compliance and other obligations. In some cases, the BoD can be held personally accountable for ensuring commercially reasonable and defensible security capabilities are in place within the organizations they serve. This accountability requires them to understand the current information risk and security posture of the organization and provide direction, guidance and assistance when possible and appropriate.
The primary objectives of most BoDs are to understand, guide and support the organization’s overall information risk strategy and current posture. They ensure that appropriate controls, capabilities, and measures are in place to provide commercially reasonable protections, and they uphold accountability while fostering continuous positive progress. They are not expected to be involved in business-as-usual operations of an organization’s information risk and security activities. They typically form their views, analysis, and guidance based on information provided to them on a point in time basis unless there is a material concern or incident that requires their immediate attention. They primarily rely on feedback and insights from the organization’s chief information security officer (CISO) and information risk and security professionals to equip them with the data needed for informed decision making.
BoD presentations can be stressful and overwhelming for many security professionals. In recent years, BoDs of various organizations have increased their focus on information risk and security programs, services, activities, and staff. This heightened interest stems from their own priorities, as well as the expectations of constituents and stakeholders, including investors, regulators, and customers. This means that the materials presented to them must be concise, thorough, and informative. There are five key considerations when developing BoD presentations for information risk and security updates:
1. Present the current information risk and security posture of the organization.
To provide accurate guidance and assistance to an organization, members of the BoD first need to understand the current information risk and security posture of the organization they serve. This is typically informed using information and cybersecurity risk assessments that are supported by threat and vulnerability analysis, including business impact analysis. Board members typically want to understand what the organization’s information risk and security professionals identify as the current material threats and vulnerabilities, and their potential impacts if realized. These often include but are not limited to data breaches, insider threats, third-party service provider compromises, ransomware, and the overall security hygiene and posture of the organization.
The next component of the presentation should be a description of the organization’s current preparedness to defend against these threats and vulnerabilities and the organization’s ability to appropriately manage their associated risk. Board members are conscious of the fact that threats and vulnerabilities will always exist. Their primary concern is how prepared the organization is to manage risk and minimize their organizational impact if realized. For each identified material threat or vulnerability, the presentation should provide a short statement that describes the risk treatment plan, including the countermeasures and capabilities the organization has in place to manage the risk appropriately.
It is often useful to use a “traffic light protocol” (TLP), which is a color-coded visualization technique using the colors green, orange, and red to visualize levels of concern. Green represents a positive state with no immediate risk or concern, yellow represents a potential concern with risk that should be monitored, and red represents a material concern with risk that needs to be addressed as soon as reasonably possible.
The TLP should be complimented by representing the data in multiple dimensions. The first dimension should be the level of concern that the risk proposes to the organization. The second dimension should be the confidence level of the organization to effectively manage the risk given the organization’s current defensive capabilities.
2. Provide a summary of the current maturity of the organization’s information risk and security program functions and the services it provides to the organization.
Board members are often interested in ensuring information risk and security programs and the capabilities they oversee are aligned with organizational expectations, strategies, and requirements. They are also interested in ensuring the organization can demonstrate that they are defensible and provide commercially reasonable capabilities if ever scrutinized by interested third parties including customers, compliance bodies, legal review, and enforcement authorities.
One way to provide this information is to use capability maturity models (CMMs) that have five defined tiers of maturity. These models can be used to review information risk and security program functions and provide a list of services that are expected to be provided by the program in alignment with recognized industry frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) or the services listed in the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27001:2022.
An effective way of visualizing this data is to use radar charts. When visualizing these insights, radar charts can list the program function or service and then present the maturity rating of each of them using color coded lines within the charts. It is often useful to include benchmarks such as an organization’s current assessed (independent or self-assessment) maturity level rating, target maturity level, any change in maturity level since last evaluated and presented, and industry benchmarks when credible data is available. Each of these data points should be displayed in unique colors that are easily differentiated.
3. Format the presentation into three distinct sections.
Board presentations should be brief and concise. It is suggested that the presentations be formatted in three distinct sections:
- The first section should set the tone of the presentation with a short agenda. It should start with a review of the organizations current information risk and security posture, program, and activities as well as any material updates since the last board presentation.
- The second section should provide summary descriptions and updates on progress for current important activities, projects and initiatives, administrative updates (including but not limited to staff, budget, and new organizational requirements).
- The third section should look to the future, outlining actions and activities that are expected to occur throughout the course of the year and the next board presentation. This section should also include time for discussion with the board itself to gain their guidance, direction, and support on specific identified topics. It is also recommended that board members provide feedback on data and insights that they would like explored in future presentations.
4. Be prepared to answer the question: “Do you have what you need to be successful?”
One key question that board members will often pose to information risk and security leaders and professionals either directly or indirectly is, “Do you have what you need to be successful?” This can be a challenging and complex question to answer, but one that the BoD and the individual(s) giving the presentation should be prepared to answer. The question should be answered with objective data points and evidence to support their response and their professional opinion. Boards of directors and their members provide oversight, guidance and direction to the organizations they serve. Since they are typically not involved in the day-to-day activities of the organization, they need to review specific data points, reports, and analyses to form opinions and provide guidance.
To address this question in the current and future state sections of the presentation (the second and third sections), consider breaking the response into three categories: time, money, and people. These three categories can be used both at a detailed project level or at a macro level for the overall health and progress of the information risk and security program. These categories are obvious and easily understood by board level audiences and will generate discussion.
5. Ensure more facts than opinions.
When developing the board presentation, it is important to provide information that can be supported by evidence if requested. Board presentations may be made available to interested parties when requested, so their content should be as factual as possible in the event of scrutiny. Information risk and security components of board presentations are often scrutinized when the organization faces a significant security incident that leads to legal or regulatory investigations and potential punitive actions.
When professional opinions are provided as part of a board presentation they should be clearly noted as such and include the identity of the individual stating those opinions. This should be done for clarity and accountability purposes. Professional opinions are beneficial but often best left for the discussion portion of a board presentation when possible.
Be concise, accurate and factual
Developing and sharing presentations to an organization’s BoD is a normal part of the governance process for information risk and security programs and its leaders. Effective board presentations offer a snapshot of the organization’s information risk and security posture, program and capabilities. This information can enable directors to make informed decisions as they direct and guide the organizations they serve. A concise, accurate and factual presentation will help board members and information risk and security staff ensure that the organization’s risk management goals and objectives are being managed appropriately and effectively in line with organizational expectations and requirements.