84% of board directors acknowledge cyber risk as a business risk, according to Gartner’s 2024 Board of Directors Survey (subscription required). Yet, many CISOs still find it difficult to secure enough support and resources to drive cybersecurity initiatives forward.
What CISOs need most to obtain sufficient backing from the board are tools that convey cybersecurity issues effectively. This article provides tips and best practices for CISOs on how to communicate IT security to the executive board and deepen their involvement.
Why do CISOs need to improve their communication with the board?
A lack of effective communication between a CISO and the executive board is often the primary reason that organizations fail to implement proper cybersecurity measures. The most likely reason is that the board and the CISO speak different languages.
While each organization’s board is unique, most board executives don’t have a technical background. According to the 2024 Global Chief Information Security Officer Organization and Compensation Survey conducted by Heidrick & Struggles, only 29% of boards possess “a large extent” of cybersecurity expertise and knowledge and can respond to a CISO’s presentations insightfully. That being the case, it may be challenging for the board to understand the interrelation between cybersecurity risks and business risks.
CISOs often tend to forget that the board has little insight into the complexity of cybersecurity operations. Some CISOs don’t know how to present cybersecurity to the board using business terms, which causes board members to underestimate the value of cybersecurity and, consequently, leads to insufficient cybersecurity budgets.
Enhancing executives’ cybersecurity expertise through effective communication can benefit an organization’s security in many ways. For instance, when the board is knowledgeable about cybersecurity, the organization is less likely to spend a lot of money on unnecessary security measures just because “everyone is using them” and is more likely to implement measures that are tailored to the specific security needs of their organization.
Moreover, board members’ cybersecurity expertise may soon stop being viewed simply as an asset and become more of a requirement in some countries. In 2023, the US Securities and Exchange Commission (SEC) adopted rules that require organizations to report on the board of directors’ cybersecurity expertise. However, the addition of cybersecurity experts to executive boards remains low for now.
To help you prepare for your meeting with the board, let’s first take a look at what executives expect you to report.
What should a CISO’s board report contain?
The aspects of your organization’s security that should be reported may depend on the type of board meeting. For instance, what you report in an annual board meeting will differ from what you discuss in an incident-driven meeting. Here, we review the most crucial information you may need to report to the executive board during regular quarterly meetings:
1. Current cybersecurity risks
Research current widespread and industry-specific security incidents before the meeting. Board members should realize that the threat is real. Ideally, provide a few real-world examples and their consequences. If you work in one of the industries at risk of cyberattacks, emphasize that fact to the board as well.
After your research, consider conducting a risk assessment. It can help you:
- Detect areas vulnerable to cyber attacks
- Prioritize risks
- Evaluate how efficient your current security measures are
- Outline new measures to implement
- Determine the probability of future cybersecurity events
When sharing the results of the assessment with the board, emphasize how likely certain security incidents are for your organization and the potential financial losses from each of them.
The same goes for third-party risks. Each third-party vendor you cooperate with increases risks to your organization’s security. Try to classify your vendors based on their impact on the organization. The more sensitive the data that they have access to, the higher the risk. Inform board members about vendors with the highest impact potential and the way you address the risks they pose to the organization.
2. Recent security incidents
Report any security incidents that occurred in your organization within the last quarter and their consequences. Start with the most significant incidents and gradually move on to less significant ones.
Briefly inform the board about what happened, how the security team responded, and what caused each incident. Present the findings of the incident investigation and your plans for preventing similar incidents in the future.
Additionally, you may wish to include a summary of security measures you implemented after past incidents. Describe in a nutshell how those measures improved the organization’s security and whether they have helped to prevent further incidents.
3. Results of security audits and penetration testing
To clearly demonstrate how the organization is doing in terms of security, provide board members with the results of the most recent penetration testing and security audit.
The results of penetration testing will help the board understand existing vulnerabilities in the organization’s defense. At the same time, the results of security audits can reveal gaps in security controls, practices, and compliance with industry standards. You can use these results to underscore the need to implement a new security strategy and increase the cybersecurity budget.
Request access to Syteca’s online demo!
See how Syteca can help you track and analyze your organization’s cybersecurity posture.
4. Progress on cybersecurity projects
Provide information about the status of any major projects the security team is currently working on. These projects could be related to:
- Maintaining compliance with IT security requirements
- Implementing security controls
- Managing and eliminating system vulnerabilities
- Developing or updating security policies and procedures
During your cybersecurity presentation to the board of directors, make sure to mention if these projects are on time and on budget and if they require additional resources (if they do, provide good reasoning).
Last but not least, inform board members about updated high-level objectives, costs, timelines, and ROI of the projects.
5. Competitors’ cybersecurity postures
It’s easier for board members to comprehend whether the organization’s security is strong enough when you compare it to other competitors and industry leaders. By doing so, they will gain a better understanding of what constitutes an acceptable level of cybersecurity risk.
Compare your organization’s security performance to some of your competitors’. Be completely honest and show board members the areas in which your organization excels or needs improvement.
Now that you know the key points you need to report, let’s review seven best practices you can follow to prepare a report that your board of directors will understand and appreciate.
7 best practices for communicating cybersecurity to the board
Ineffective communication is a major obstacle for security officers trying to implement efficient cybersecurity risk management. We’ve put together seven valuable tips to make cybersecurity communication with executives smooth and productive.
Reporting security to the board: 7 best practices
1
Understand the business and the board’s priorities
2
Speak their language
3
Justify the implementation of new security measures
4
Quantify cybersecurity data
5
Keep reports brief
6
Be ready for objections and questions
7
Prepare thoroughly
1. Understand the business and the board’s priorities
Maintaining a balance between technology and business is crucial for CISOs nowadays. A comprehensive understanding of business operations can provide insight into the priorities of the board and align your cybersecurity strategy accordingly.
Knowing the current priorities and expectations of the board helps you better discern what information to present during the board meeting and how to get your points across. These priorities may include:
- Preventing business outages
- Maintaining customer trust and company reputation
- Protecting the company’s innovations and trade secrets
- Complying with IT security requirements
If the board’s current main objective is to ensure compliance with updated industry cybersecurity requirements, you should tailor your report accordingly. Show whether or not your organization complies with the requirements and, if so, how. If it doesn’t, show how you are planning to ensure compliance and specify what your security team needs in order to meet IT requirements.
2. Speak their language
Adapt your report to the language of your audience to make sure your message lands. Try to simplify your language as much as possible by avoiding technical and cybersecurity jargon. Using full names and descriptions instead of acronyms that might be unfamiliar to board members can also facilitate communication.
Besides choosing the right words, make sure you present information in a business-like manner. For instance, instead of bluntly stating what needs to be secured and how it should be done, explain what value a certain security process or tool will bring to the business. When presenting metrics, point out how they’ve changed over time to illustrate how specific areas of security have improved or worsened.
Make use of visuals during your presentations. Employ dedicated tools to present data in schematics, diagrams, and graphics to make it easier for board members to comprehend.
3. Justify the implementation of new security measures
Without proper justification, executives may not be willing to invest more resources in cybersecurity. If you want to establish new security processes or deploy more tools, show the board how those processes and tools align with your organization’s current goals and objectives.
Demonstrate that new security measures can help comply with cybersecurity requirements, avoid fines and legal issues, prevent revenue or reputational losses, and reduce the risk of security incidents. Thus, the executive board will be more eager to approve the required resources.
4. Quantify cybersecurity data
Members of the executive board may have trouble understanding technical terms, but what they do understand are metrics like revenue and ROI. When delivering your reports to the board, make sure to emphasize the business outcomes of certain cyber risks or security measures and how they may impact the organization’s revenue or margin. You may want to seek assistance from the CFO or other financial specialists in your organization to back up your statements.
Make sure your reports are specific and to the point. Instead of saying, “We deployed a tool to minimize the risk of insider threats and data breaches,” you can say, “We spent $200,000 on a product to help us prevent up to $2 million in losses caused by data breaches and non-compliance fines.”
5. Keep reports brief
During your presentation to the board, you might be tempted to share as many insights as possible. However, it’s best to demonstrate only the most significant aspects without delving into too much detail. Lengthy presentations don’t receive due attention and focus from board members, which is often vital to achieve what CISOs are aiming for.
Focus on the bigger picture to keep the board’s attention and provide only necessary details. Emphasize the potential influence of security incidents on innovation, productivity, revenue, and the reputation of the company, describing IT controls and processes as concisely as possible.
6. Be ready for objections and questions
Members of the executive board should and will ask questions during your presentation. Some of the most common questions are:
- What steps do we take regarding the evolving threat landscape?
- How do we manage risk related to our third parties and suppliers?
- Are we able to rapidly contain damages and mobilize response resources when a cyber incident occurs?
- Do we have a tested incident response strategy?
- How does our security program align with industry regulatory requirements?
Questions often depend on what the board is most concerned about at the moment. For instance, if the board has previously allocated additional finances to cover a certain security gap, they might ask whether that gap was successfully eliminated. Or, if there’s a particular type of attack that companies from your industry often fall victim to, they might ask you about the measures you take to keep those attacks at bay.
Prepare strong arguments in favor of your proposals as not all of them will be approved by the board. Make sure to listen attentively to their objections and concerns and address them thoughtfully.
7. Prepare thoroughly
When reporting to the board, you should demonstrate that the security strategy you’re implementing or planning to implement is not just a random suggestion but has a logical basis and precedent.
To achieve this, you’ll need to meticulously study and analyze your organization’s cybersecurity and then present adequate justification for each of your decisions during the board meeting. To make preparations easier, make sure to always document and regularly update:
- Security procedures established in your organization
- KPIs for security measures
- A well-thought-out security plan
Be aware that performing a proper audit and analysis of organizational security can be challenging without a dedicated technological solution. Read on to find out how Syteca can help you with this process.
How can Syteca help you report to the board?
Syteca is a cybersecurity platform providing advanced user activity monitoring (UAM) and privileged access management (PAM) capabilities to help organizations enhance the protection of their internal systems and data.
Syteca UAM offers a diverse range of inbuilt user activity monitoring, recording, and reporting capabilities that provide insights on application usage, user productivity, triggered security alerts, unusual user sessions, and much more. You can choose from more than 30 report types to analyze the organization’s internal security environment accurately.
With the help of Data Connector and API, you can seamlessly integrate Syteca with Microsoft Power BI. Therefore, you can present insightful data collected by Syteca with straightforward, interactive graphics, visually enhancing your reports to the executive board.
Leverage Syteca’s UAM capabilities during penetration testing to watch how your employees are performing in real time. Record user sessions and present them at board meetings when demonstrating your testing results.
Syteca’s screen capture recording feature can also help you spot insider-caused cybersecurity incidents happening within your organization in real time or through video playback. You can export and use these records as arguments to justify funding certain security measures.
Conclusion
It’s ultimately up to you, as the CISO, to regularly and comprehensively convey the significance of cybersecurity to the executive board. Failure to do so could result in your cybersecurity initiatives not receiving sufficient attention and/or funding and can lead to negative impacts on the security and reputation of your organization.
Following our best practices on reporting security to the board for CISOs in combination with leveraging Syteca’s reporting and auditing capabilities can simplify communication with your board of directors.