12 tips for effectively presenting cybersecurity to the board

Cybersecurity is a top concern for boards of directors.

Don’t let your board presentation miss the mark. Follow these best practices and common mistakes to avoid when communicating cybersecurity risk to the board.

In fact, 42% of the nearly 500 leaders surveyed by the National Association of Corporate Directors listed cybersecurity risks as one of the five most pressing concerns they’re facing — just behind changes in the regulatory climate and an economic slowdown.

As a result, security executives are increasingly going before boards to brief them on the risks they face and strategies to mitigate them.

“More boards are saying, ‘Talk to us, tell us what we need to know,’” says Gary Hayslip, CISO of internet security company Webroot and a veteran board member.

Yet, many board members find that they’re not getting the information they need from their chief information security officers.

“Board members are talking about cyber risk, and risk and audit committees are spending a lot of time grilling the CISOs, and they’re generally dissatisfied with the experience,” says David Chinn, a senior partner with management consulting firm McKinsey & Co.

There are steps that CISOs can take to avoid such negative reviews. Here, several experienced leaders share their advice for presenting to the board:

1. Do more prep work

Executives are expected to prepare written reports for distribution to board members in the weeks ahead of presenting to the board in person. Some think that advance work is enough, but experienced executives and leadership advisors say CISOs (especially those with limited time before boards) need to do more focused prep work or even receive specific training.