Risk ManagementRisk-Based Security for Executives

Lessons From Ignite: 5 Tips for CISOs Presenting to the Board

You have 5 minutes to explain why you are relevant to the business and define your organization’s risk posture…ready…set…GO!!!

This week I presented for the first time at Ignite. If you are not familiar with the format you have 5 minutes and 20 slides that automatically advance every 15 seconds. Creating the presentation is a challenge, as you have to abstract salient points and deliver the message clearly and quickly. At Tripwire there has been a lot of discussion about making the CISO relevant to the business and it made me wonder what if CISOs had to use the Ignite format to present to the board?

In the old model CISOs would report to the CIO, the reporting would usually be technical in nature and focus on the status of projects. However, as security is becoming more important in the overall risk posture of organizations, boards are becoming more interested hearing directly from security executives, which requires a different level of communication that CISO/CSOs may not be used to presenting.

Here are a few tips that can help CSOs when presenting to the board:

  1. Keep It Relevant to the Business: The board does not want to hear about, tactics, security architecture, or operational issues, they want to simply understand the organization’s risk posture and topics related to compliance and anything that could affect the organization’s bottom line.
  2. Keep the Language Simple: Boards are generally not comprised of technical people, so be sure to remove overly technical terms and concepts from the language you use without being condescending.
  3. Metrics:  Boards understand numbers.  Focus on key metrics and facts.  Provide the information in rich graphics that can be easily printed and understood.
  4. Be Ready for Questions: The Board may not be technical, but they are smart and will ask tough questions that you will need to be prepared to answer. You are the expert and “I don’t know” is not an option at this level.
  5. Listen: Just as important as the questions the board asks, will be their reactions, what information they are interested in and what can you highlight next time. This is also an opportunity to understand initiatives that may affect your projects, from acquisition of other companies to  reduction in staff and budget issues, for example.
Previous post

Fifty Shades of Grey Hat: Hacking & Ethics

Next post

When Log Files Attack: IEEE Data Leak

Ken Westin

Ken Westin

Your Pundit of Paranoia