Following up on our post about security strategy, we’re going to take a focus on executive communication. Security leaders frequently encounter advice on how to present to boards, with general tips like "limit metrics," "tell stories," and "find your security champion."  While these pointers can be helpful, the details of how, actual frequency, and especially board fails are very rarely widely discussed.



There’s a few reasons behind these gaps. Board communication is in fact hard in reality. It can sometimes be chaotic and stressful, especially for new or blossoming executives. And success sells, fails don’t. 

Board communication is notoriously challenging, often chaotic, and stressful, especially for those new to the role.

Presentation is incredibly important, whether your audience is the Board of Directors, Executive Board, or Management Team. The reality is that CISOs are often ill equipped when thrust into their first or continuing Board sessions, with as many as 60% operating normally in “Junior” executive positions. Security leaders need to learn “on the fly”. Conversely, Cyber as a subject is appropriately receiving more and more exposure relevant to rising regulation and risk. This presents a great opportunity to advance security. Typically, a first Board security session happens in a “honeymoon period”. Like anything in business however, every opportunity always must be followed by execution. 

With the average CISO tenure potentially at 2.3 years, a hidden factor in effectiveness and length of engagement is how well a leader might be able to hold his/her own in the wider corporate context. So let’s dive into changing Regulation and expectations in Europe, why performance at the Board matters, and best practices and resources available to security leaders.

In 2024, the engagement of CISOs with company boards continues to vary globally. Notably, around 50% of CISOs engage with their boards at least quarterly, though 25% report an ad hoc relationship or no engagement at all. This marks a slight improvement from 2022, where 61% of CISOs reported to the full board and 43% reported to both the board and a committee.

In the EU and Switzerland, regulatory developments are pushing boards attention to cybersecurity. The EU’s NIS2 Directive mandates stricter cybersecurity measures and reporting requirements, making compliance a board-level concern. In Switzerland, FINMA’s Circular 2023/1 introduces new requirements for managing operational, ICT, and cyber risks, further underscoring the importance of board oversight in these areas - specifically indicating that an organization’s Board of Directors approve ICT and cyber risks once per year. An Executive Board must receive reports from risk functions at least twice per year.

These changes have led to the creation of board-level cybersecurity committees and a growing emphasis on regular updates from CISOs. The shift is further evident in the growing percentage of board members with cybersecurity experience or exposure. This is still an area that needs further development, particularly in non-tech sectors​.

Typically, a CISO or security-focused board briefing may last anywhere from 15-45 minutes, with general board expectations being oversight of risk, staying informed, and a brief overview of strategy or programme status. Ultimately, an overall expectation is a strong degree of “executive presence”, of which both people new to the experience as well as seasoned executives need to learn and further develop.

The relationship between a Board of Directors and security leadership is critical to the success of an organization's security program. Often, a CISO is given the opportunity to present a 90-day plan or strategy early in their tenure, setting the tone for future interactions. This initial engagement is crucial, as it establishes trust, sets expectations, and influences the frequency and context of future updates. The strength of this relationship impacts several key areas:

• Alignment with Business Objectives: Ensuring that security initiatives align with the company's goals
• Resource Allocation: Securing the necessary resources for effective security management
• Risk Management: Prioritizing and addressing security risks
• Crisis Response: Effectively managing incidents and crises
• Compliance and Legal Liability: Meeting regulatory requirements and avoiding legal pitfalls

Perhaps most importantly, board support can significantly enhance a CISO's ability to implement security policies and foster a security-focused culture within the organization. A poorly managed Executive-Board relationship can devolve into a loss of trust and paralyzing relationship. Without this support, security initiatives may face resistance, and the CISO's effectiveness—and tenure—may be compromised.

Based on our experience preparing for and presenting to Boards, here are some fundamental concepts to keep in mind:

• Know the Presentation Purpose: Align your messaging with senior leadership and understand the specific purpose of your presentation is quite frankly most important. There are formal aspects of an agenda point on Security, such as reporting, but there may also be a specific request or an expectation for an efficient informative session. Be prepared for this purpose to change, sometimes at the last minute
• Practice Your Style and Language: "Executive presence" is key. Your spoken delivery should be clear, jargon-free, and precise. Showing professional personality while avoiding overly self-assured is tremendously beneficial. The Board’s perception of security is as much a measurement of you, as to what you show. The actual presentation itself must be highly professional, succinct, and informative. Often, it is a common practice to have “pre-reads”, or appendices where extended information is provided. While the main presentation could be maximum 3-5 slides which are actually used during a 15-minute session. Overall - practice, practice, practice – and work to find sparring partners both in, and outside your organization
• Demonstrate Business Alignment: Tie security initiatives to business objectives, showing how they can drive business value. This can be done by providing viable and creative ways the topic can propel business. Security can’t live in a silo – and while an initial board session may cover fundamental strategy - what keeps you on the agenda is your link to the actual business
• Be Ready to Explain the Landscape: As a security leader in an organization, one of your most important functions is to be an advisor. You must be able to explain the broader security context, discuss specific topics, and address current events or risks. Potential workshops or sessions with specific members to prepare them for the topic may be highly beneficial
• Use Metrics Wisely: Present metrics that matter, making sure they are clear, relevant, and visually engaging. Metrics should support your main points and be included in both the main presentation and any supplementary materials. Often covered topics include benchmarks, incident numbers and trends as well as limited ICT statistics. In the background, a great foundational IT security metrics implementation really helps to get the right data when you need it
• Know that You are not Alone: Don’t hesitate to seek coaching or peer support when preparing your board presentations. Experienced executives understand the value of peer/external feedback and unbiased coaching. A fixed-mindset will often eventually fail. Long-standing executives are creative, and realize the value of direct peer discussions and a growing trend of seeking unbiased executive coaching which can help them learn and improve

References:

Savanti, Heidrick, Globalnewswire, Iansresearch, Practiceguides, Researchgate, McKinsey, Noobpreneur

Want to know more? Reach out to us for practical and hands-on guidance tailored for your needs.