Blog

Board, (Dash)board and Bored

May 04, 2022

BoardMeeting By Jon France, CISSP, CISO at (ISC)². Following our last quarterly meeting with our Board of Directors, Jon began to think about what a CISO should present, how to present it and, of course, what you hope the key takeaways are.  

Board priorities are clear – protect the organisation, discharge duty of care, grow the business and set or correct strategic direction, but what and how does the CISO tell the board what the cyber landscape is?  

The purpose of a Board – like the (ISC)² Board of Directors – is to consider strategic directions, bring expertise, balance risk and have fiduciary responsibility and duty of care. They need relevant information, opinions and insights on how to discharge their duties. A board equally needs to understand information being presented (jargon alert!) and not get swamped in the operational mire that can be stats and tooling.  

Dashboards are quite useful for conveying trends, core data, high-level insights, but need good commentary. The CISO can, and should, provide this commentary and what it can mean for the business. They should present a mix of history to show what has happened and why (including operating environment), what has been done in relation to any arising challenges, and, of course, what is to come and what is anticipated as future challenges. A good CISO is versed in threat and should be able to show what they are, quantify them and of course what the threats are actually threatening (i.e. assets, operation and regulatory requirements, in essence that they understand the business).  

Budgets and balance can be broken down into “getting the best bang for the buck” when you’re on the receiving end of information in which you’re not a subject matter expert. Numbers are the great equaliser. “How much did it cost?” “What will it cost for what result?” But be careful as this can devolve into an insurance-type conversation when cyber activities are involved. Risk and reward metrics are again useful, and tying them to business outcomes (or indeed lack of outcomes) not only shows an ability to understand the levers of business, but also that you are protecting and supporting the growth of business operations and outcomes.  

Many see the job of a CISO to protect from attack. More important than that, CISOs know that resilience is key and a lifecycle discipline. It’s not simply about defence, but rather holistic protection of people, reputation and assets which involves being able to deal with, and recover from, successful attacks. Getting a board to understand the cycle, and more importantly their part within it, is a key message to deliver. What pressures your organization faces within the cycle and how these will be overcome are vital to present.  

There are many calls on a CISO’s time and focus, sometimes having them get “in the trenches” and board meetings wait for no person! Building the information, consideration and most importantly, the narrative, is an iterative process throughout the time between board meetings and keeping a regular diary of notable items can help job memories and build that story. You’ll be able to add colour to information and reasoning, making it even easier for your board to understand.  

Presenting to a board takes skill and acumen. Covering landscape, risk, budget, insights and predictions … a narrative that shows understanding of the business, its aims, how to protect them and – in many cases – how to support them and be part of its growth.  

Ultimately, the board should feel what they are hearing makes them confident in their understanding of what is being presented, that it satisfies their need to discharge their duties, that it is not overly technical and, of course, that they are not bored by it!  

If you have CISO aspirations, enroll in the (ISC)² course: CISO’s Guide to Success . It’s free for (ISC)² members, available online and on-demand and earns you 4 CPE credits.