Help the board understand why cybersecurity is critical to the business.
With recent highly publicized security breaches at large companies and organizations, boards of directors and C-level executives are beginning to recognize the importance of cybersecurity and risk. In fact, Gartner estimates that by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually. This represents an increase from 40% in 2016.
Security experts who have been trying to convey the importance of cybersecurity for a long time finally have the opportunity to and the responsibility of presenting key issues to the board. Unfortunately, security and risk management leaders struggle to present this information to the board in a way that nontechnical executives will understand, and they may fail to get across the main points.
By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity.
“Boards are becoming increasingly interested in security and risk management; however, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey,” said Rob McMillan, research director. “It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.“
The key to a successful presentation is to ensure that it answers key questions about how cybersecurity can and will support the company’s main mission and business, relevant environmental factors and the extent to which material risks are being managed. Most importantly, don’t allow the presentation to bog down in overly technical explanations, and ensure each point is high-level enough that the board will understand it, but detailed enough to give them a true picture.
Mr. McMillan suggests a “five slides in 15 minutes” style presentation, with an intro and closing slide.
Slide 1: Get started
Slide 1 is designed to be the call to attention slide. It needs to be sparse, and simply identify the topics you’ll cover in the following slides. No details are necessary, but it should signal that the presentation will include information about business execution, strategy, external developments and risk position. It’s high level, and sets the scene for the board.
Slides 2 – 6: Performance and contribution to business execution
It can be difficult for CISOs to demonstrate how security contributes to business performance. However, when presenting to the board, it is key to link (implicitly or explicitly) security and risk to business elements that the board members value.
Whatever version of these slides makes sense for your enterprise will enable you to highlight metrics and how the security team is contributing to the positive outcome. However, you should also be prepared to explain potential problem areas and their implications. Bring more detailed documentation on how each metric was produced for any board member who asks.
Slides 3 through 6 should discuss how external events will affect security, an assessment of the existing risk position (this can change depending on acquisitions and other events) and the entire security strategy.
Slide 7: The call to action
Finally, wrap up the presentation with a closing slide to reiterate the main points and any action items. The key is to close strongly, leaving the board confident in your plan and abilities. Summarize the points you’ve made, and be clear about anything you have requested. This is a good time to take questions, and thank the board for their time.
Get Smarter
Client Research
Gartner clients can see the full slide-presentation in the full research Board-Ready Slides for Cybersecurity and Technology Risk Sample Narrative — Progress Update.
Gartner Security & Risk Management Summits 2017
Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2017 taking place in National Harbor, Maryland, Tokyo, Mumbai, India, Sao Paulo, Sydney London and Dubai. Follow news and updates from the events on Twitter at #GartnerSEC.
Security Hub
Visit the Gartner Digital Risk & Security hub for complimentary research and webinars.
