Building a Better Boardroom Presentation
Fifteen minutes in a quarterly meeting does not seem like enough time to adequately communicate security’s mission, but a smart presentation can accomplish great things.
You know the signs you’re losing your audience – glazed eyes, extended smartphone use, yawns, repeated glances at watches and clocks. Whether you’re addressing your security officer force, your CFO or the Board of Directors, it’s imperative to hold your audience’s attention so they can better understand security’s role in enabling the business. A security leader may only have a few minutes of leadership’s time, however, so how can you use your time to the fullest?
Prepare a well-crafted, tailored, relevant presentation.
It’s much easier said than done, and it requires diligence, research and partnership.
Especially for a security leader who is new to an organization or presenting to the Board or C-Suite for the first time, it’s vital not to waste the opportunity to provide a valuable, engaging presentation. According to Chris Pierson, General Counsel and Chief Security Officer at business payment network Viewpost, you first need to understand the various drivers that the Board and executive management have; while the CISO might be focused on not getting on the front page of the newspaper for a data breach, the Board and C-Suite have different priorities.
“Unless you’re able to effectively communicate your message and about your topic – risk, cybersecurity, enabling business – the Board becomes very shut off to it, and you have a harder time moving forward with those programs within the organization,” says Pierson.
A CSO or CISO’s continuous drive to only reduce risk throughout the organization can be opposite to other executives’ goals of business growth and expansion and creating revenue opportunities. “If you have that misalignment at the executive level and you do not understand the drivers, you’ll be much less effective in your message and, honestly, in your career. When you have the CSO focused in on just reducing risk – serving almost as a police force to the company – you become the finger-wagging individual at the company. You can’t play that role. If every meeting ends with a ‘we could be hacked’ comment, then you, as the CSO, are not being an effective leader, an effective manager or an effective businessperson. The most important job of the CSO is to enable the underlying business of the company. Whatever goods and services your company produces, from sneakers to coffee to airline travel, you are there to enable business to happen and to figure out ways for it to happen in a safer, more transparent manner. But at the end of the day, you’re not there to have only the best security ever – that’s not the goal of the company.”
This is what Boards of Directors and executives want to see: evidence of security’s work to enable business, not just technical metrics about breaches, vulnerabilities, camera counts, etc. It’s about elevating the story of the security department.
“Understanding risk and technology is just table stakes for the CSO,” says Frank Kim, Founder of security consulting and CISO advisory firm ThinkSec and former CISO for the SANS Institute. “That just gets you a seat at the table. Understanding what your competitors are doing, what your business’s goals are, that makes you a business executive, not only a security executive.”
So how do you, as a business executive, understand what the Board wants to see and how?
“Avail yourself of other people in the company,” Pierson says. “A key partner is often the general counsel’s office or the secretary, as they run Board meetings, establish timelines and compile materials. They can show you prior Board books (the packet of in-depth materials given to the Board prior to presentations) and may give you information on Board members, their backgrounds and how to present to them.”
Pierson also recommends checking that your presentation is in line with your direct superior’s topic and metrics, so you’re not breaking ranks or surprising your managing executive in front of the Board. Know what the privacy teams, audit teams and marking departments are presenting – did security get involved in any of their recent projects? How did the security department help to enable the business? In other words, don’t report in a silo. This team-player approach not only assures security’s position as a business partner throughout the enterprise, it also opens up the opportunity for you to report metrics and involvement to the Board at multiple sessions throughout the year, Pierson says.
It’s necessary to adjust your language and vocabulary during a high-level presentation. Most Board members are not going to be well-versed in security or cybersecurity jargon and acronyms, so take a step back and reframe your efforts in terms of risk and where security sits in the larger business landscape.
If diving into technical aspects of security is necessary, frame it in a way executives will understand, such as connecting the Internet of Things to home automation, says Pierson.
Security leaders often suffer from the “Curse of Knowledge,” Kim says, and they try to pack as much data into a presentation as possible. But in a quarterly meeting, security might only have 15 minutes, so less is more. Kim recommends working with the marketing department to promote the work of the security department in ways that the Board understands, like building a simple dashboard graphic of critical areas that can be updated each quarter, adding context and continuity to security’s presentations.
Chris Zoladz, founder of information protection and privacy consulting firm Navigate LLC, says security leaders should “use the Communications team to help refine the material on the slides to minimize text and maximize graphics. Do a practice-run of the presentation to a member of the Communications team so they can coach you on the effectiveness of the delivery. Review the presentation with the executive (e.g. CFO) who is the primary creator of the Board meeting agenda. He or she can also help validate that the content will resonate.”
Zoladz also recommends that you take the time to research each Board member to understand their backgrounds. “It can be helpful to speak with a member of management who attends the meetings to get his or her insights about the Board members and likely questions they may have. Also, remember that most Board members are accomplished executives at other companies and likely serve on multiple Boards. As a result, they may not have time to fully read any advance materials before the meeting.”
To avoid the “Curse of Knowledge” pitfall during the presentation, Pierson recommends preparing in-depth materials first (often included as an appendix or within the Board book) and then condensing the key points to three to five slides. CSOs should have the metrics on hand to back up their talking points as needed.
There are three main types of metrics that a security leader can collect, says Kim:
Technical Metrics: Raw data generated by analytics and sensors within the organization, such as raw counts of the number of events occurred, vulnerabilities discovered, etc. This level contains vital information, but not much insight.
Operational Metrics: Actionable information built from the mountain of technical metrics that can help improve the work the security function does.
Executive-Facing Metrics: A higher-level view of the progress the department is making in key areas. Can also include key performance indicators and key risk indicators. Many will be dependent on the business: A retail chain may want more metrics on loss prevention or fraud; a healthcare organization may want metrics on the integrity of their data and health records; a financial institution may prefer high-level metrics centered on privacy and compliance.
“Your executive metrics should be tied back to the primary drivers of the organization,” says Kim.
Emphasizing the executive-level metrics to the Board helps to ensure they’re getting the best value for their time while keeping the conversation on the right level, but it’s also necessary to have the operational and technical data available, in case a Board member or executive asks more in-depth questions, he adds.
Zoladz warns that trying to answer a question without the data prepared to back it up in the moment could backfire – deferring and promising to provide an answer within a reasonable timeframe is acceptable at times. “This deferral should be used sparingly, which underscores the need to be thoughtful and proactive about preparing for curveball questions,” he says. “If you often find yourself in a Board meeting and you cannot effectively answer questions, the odds are that this could be the start of a countdown to a time when you will be told to pursue other opportunities. Your performance is not just a reflection on you, but also on management.” If a CSO wastes time trying to address a question he or she isn’t prepared to answer, that’s also wasting the valuable minutes allotted to security in the boardroom to get through the rest of the presentation.
That’s not to say discussion is unwanted, however. If the Board asks a lot of questions and wants to dedicate more time to security, you have their attention, and the floor is yours, says Zoladz.
Thoughtful preparation and awareness about recent events (breaches, terrorism attacks, etc.) can help to quell many boardroom concerns, says Kim. Having a threat analysis report prepared about “what happened,” “could it happen here and why,” “what would happen if it did,” “are we prepared,” and “what can or should we do about this threat” would turn a topic focused on fear, uncertainty and doubt to a learning experience and an opportunity to build the Board’s confidence in security’s preparedness.
By building on this confidence and repeating certain key metrics from quarter to quarter, you can construct a rapport with the Board or the executives, and develop a narrative about security’s mission and its place within the company.
“Keep your presentation simple – have a concise message with your overall plan, roadmap and framework structure tied back to the overall plan of the enterprise is what is going to drive your success,” says Kim. “Remember: Your story is your strategy. A lot of this sounds like marketing, but it’s not just fluff – if we as CSOs don’t understand our story – why security’s important to the business – we are never going to tell our security story.”