A CISO is in an interesting position – for he/she needs to be technical and non-technical at the same time. In a large number of organizations, the CISO reports to the CIO, who is generally a technical person. At the same time, the CIO is also a business person with budgets to manage, and commercial decisions to make.

A CISO has to do is to communicate with non-technical people, for example CISOs are getting slots on board meetings. In board meetings, the question they are looking for an answer to is “how secure are we”, or as the CISO would see it – “how vulnerable are we”? This question cannot be answered with a single metric. It needs to be broken down and presented as a set of cohesive questions that lead the board to the answer they seek. Sometimes the CISO supports the CIO who addresses IT security

• The CISO would do well to address:

1. Current security trends, covering threats, recent industry events, and their applicability

2. Security posture and risk appetite compared to others in the industry.

3. Where the gaps are

4. What is being done to address the gaps

• The board can be close to operational detail, and showing clearly defined timelines, accomplishments, clear owners would be useful for them to see.

• Clear communication of business outcomes is a priority. Communication to the board should allow the board to focus on their priorities, which is often profitability, operational risk management, protection of revenue streams and avoiding surprises that involve a loss.

• Connecting with the board is important. They should feel that this is an interesting person to listen to who helps them accomplish their objectives. Relationship management, communication, risk management and knowledge of the business become more important than technical or security expertise. Clarity is critical, and so is explaining the line of thought. This cannot come without preparation. Even if you are not allowed to read from a script and are expected to speak extempore, you should have a written down speech that methodically presents key ideas in a time constrained way. Things to think about presenting:

1. What are the new and emerging threat trends, and where we are on a Quadrant vis-à-vis each,

2. What is our plan to move up and improve our protection?

3. How are peers doing?

4. What are our biggest gaps, and what are the consequences?

5. While the gaps exist, what are we doing about them?

6. What are the threats we face

7. What is our risk appetite, major vulnerabilities we face in our IT systems, and what our exposure is

8. What is our approach to managing these threats

• Provide a short summary of key issues ahead of time so there is a foundation of common understanding in a meeting. It can be text, or a powerpoint, or text in a powerpoint; and supported by appendices that contain the detail if that is required.

• Proposals and suggestions should be tied to business objectives, ie a clear line to how an initiative improves profitability, or avoid losses from surprise adverse incidents should be clear.

• Use analogies and simplify things as much as possible. Use anecdotes, observations and metaphors, and support with data presented graphically where required.

• Select graphical and pictorial representations to present complex concepts and data.

• Avoid a presentation that lacks a theme, and leaves the board confused.

• Understand and clarify the goal of the meeting – what outcome you want to come out with. Ask the following:

1. Why are we having this meeting, why does the board want my presentation? Perhaps the board is looking for assurance that information risk is in hand, and that all the right projects are progressing without obstruction. Perhaps they want to make sure that what may have happened to peers cannot happen to us.

2. What do I want to get from the presentation? Is it just an update and awareness session, which may be a worthwhile goal, or is it to plant the idea of a budget increase?

3. Is the theme consistent? There should be an existing roadmap and strategy that should be common from one meeting to the next. There would be topical discussions but these should add to and not obfuscate any existing road maps. Themes should be identified by locating the synergy between business goals and security objectives, for example:

   1. Protecting customer information

   2. Being a trusted vendor for our customers

   3. Avoiding regulatory censure

   4. Offering new products and innovative services

The material should be prepared considering:

1. How do you want to feel after the meeting? What is you desired outcome?

2. How do you want the board to feel after you have finished?

3. What stories are you going to use that leads to the right outcome? Press stories are good to provide key scenarios to walk folks through.

4. Present all facts, even those that do not support your point of view, for a balanced decision. Recommend a course of action, but without stacking the deck entirely in your favor.

5. Include good news and success stories.

6. See if there are opportunities to socialize the content before the presentation. It is always best to talk to an audience that already supports you. But access to board members may not always be available before the meeting. So talk to other functions, their reports, and others who are presenting at the meeting so that your message is tied to theirs to getting them to restate and support your message. Do not be the sole harbinger of doom or hope, see if you can have allies.

Prepare and practice, and know the script back to front and front to back before the meeting.