There is a steep rise in interest from the Board & CEO of an organization to understand the security posture of their company. Partly because of the increasing pressure from the government regulators, stakeholders & discussions on the potential risk of individual liability for corporate directors who do not take appropriate responsibility for oversight of cybersecurity.
However there is a huge disconnect between the security professionals in terms of what they think the Board want and the reality.
Top 3 Things CISOs Should Avoid In A Board Presentation:
1> Board Does Not Want Deep Technical Details/ Acronyms in Your Presentation
Board members are not cybersecurity security experts and does not necessarily understand the technical jargons or security acronyms. The board does not need technical details like the architecture you are using ...etc. Explaining by way of business examples or what the board can relate to is important. You need to show how your efforts of security the organisation align to the business strategy of the organisation.
2> Board Does Not Want FUD: Fear, Uncertainty, and Doubt
Exaggerating the cyber security risks or giving examples of terrible hacks that have happened in other organisations will not help. Surely you can explain the relevant incidents that have happened in the recent past or the changes to regulations and threat landscape. Along with this you need to show your strategy to comply with these changes and the steps you are taking to mitigate risks in the changing threat landscape.
3> Board Does Not Want To Know The Problems (They Need The Problems & Solutions)
Board wants to understand the risks & how they can be mitigated. Along with the most significant security risks you need to highlight the ways to address or mitigate those cyber security risks. As security cannot be measured on absolute terms, a good way is to start with where you are, explain the "State of Security in comparison with competition" and where you would like to reach.