Board presentations on IT risk: Don't make these five mistakes

CIO and CISO board presentations on cybersecurity are on the rise. Jeremy Bergsman of consultancy CEB explains what not to do.

High-profile breaches in the news have positioned cybersecurity as a top risk concern in boardrooms across the globe. While presenting to the board of directors is a personal and professional growth opportunity, reporting in-depth cybersecurity information is new terrain for most IT leaders, since it hasn't historically been on the board's priority list.

This visibility is exciting, but also risky. IT leaders often struggle to win the confidence of the board and fall short of providing effective assurance, largely because of mistakes in their presentations. CEB conducted over 100 conversations with CISOs, CIOs and board members. In doing so, we identified five common mistakes IT leaders make when presenting information risk to their boards. We also learned how the best IT leaders avoid these mistakes to build and deliver successful board presentations, and build trust among directors.

Mistake 1: Misunderstanding the role of the board's involvement in decision making

IT leaders fail in their board presentations when they try to use presentations to advance management decisions, such as setting budgets, making investment trade-off decisions, and soliciting guidance on strategic projects. These types of management decisions are the C-suite's job, not the board's. Rather, the board's role is to fulfill its fiduciary duty to ensure risk is managed. This is primarily accomplished by evaluating leadership's effectiveness and ensuring the organization has the right management team in place.      

IT leaders who come to their board presentation asking the board to make management decisions about information security are likely to fail. Instead, the best IT leaders ensure that every aspect of their presentation is designed to build their credibility as a leader. This starts by simply demonstrating a clear understanding of the board's role and the priorities and backgrounds of directors.

Mistake 2: Failing to connect disparate elements of the presentation into a cohesive picture

IT leaders often struggle to win the confidence of the board and fall short of providing effective assurance, largely because of mistakes in their presentations.
Jeremy BergsmanIT practice leader, CEB

IT leaders often use different frameworks throughout their board presentations. For example, they may use the NIST Cybersecurity Framework to discuss security controls maturity, the Cyber Kill Chain to explain relevant breaches in the news, and a bespoke ERM framework to discuss the top security threats facing the organization. Using multiple frameworks causes confusion for the board and fails to draw connections between conversations, which also erodes the board's confidence in the presenter.

The most successful presentations to the board are those that use a single framework for all presentations to create consistency, improve clarity, and keep discussions at an appropriate level. For example, a single framework can be used to:

-          Update the board on the organization's security posture

-          Explain the information security organization's strategic plan

-          Frame security governance discussions

-          Outline the information security organization's project prioritization

-          Communicate risks and unpack breaches in the news

Mistake 3: Presenting the wrong kinds of metrics

IT leaders often present operational metrics, because these are the metrics that they have. However -- even when aggregated and translated into "business language" -- this is rarely useful to the board. Reporting operational-level security activities does little to provide assurance or earn the board's trust, in part because the board doesn't have the ability to interpret operational metrics or translate them into a high-level understanding of information risk management. Another mistake is trying to present a quantification of risk, often expressed in monetary terms, with the aim of making information risk more accessible for the board. This approach also fails because objective risk quantification is not only impossible, it can even be misleading.

The best IT leaders recognize the shortcomings of operational metrics and risk quantification. Instead of focusing on them, they report a systematic approach to risk management based on managing control and functional maturity. In other words, they provide an objective view of the security function's maturity, compare this to peers, and show how maturity is changing over time. Any presentation of risk information is kept very high level and used for context, not to frame decisions.

Mistake 4: Failing to strike the right balance between too many and too few security gaps

IT leaders often present either a "sky is falling" view of information risk or an "all-green dashboard" view. The first approach results in a long list of unmitigated risks or security gaps which damages the IT leader's reputation, undermines her credibility, and indicates that the presentation is targeted at detailed problem solving rather than board-level oversight. The second approach fails because it presents an overly optimistic picture of information risk that's unrealistic and signals that the IT leader is in denial of reality.

Rather than take a fully negative or positive approach, the best IT leaders focus on providing transparency about key security gaps and couple these gaps with a discussion on strategies to mitigate the resulting risks. In short, effective IT leaders build their presentation around the board's primary concern -- ensuring that the management team is competent and is managing risks as they arise.

Mistake 5: Managing board presentations as one-off activities

Historically, presenting information risks to the board was not a routine ask of IT leaders. But now, many IT leaders spend 15% to 20% of their time annually preparing for, delivering and following up on board presentations. Given the time dedicated to board reporting and the breadth of activities required for success, IT leaders find that they miss key steps or scramble to prepare for each presentation when they take an ad hoc approach.

Instead, the best IT leaders follow a standardized board presentation lifecycle built around all phases of preparing for, delivering and following-up on presentations to the board. They budget time for preparing a high-quality output, document key steps and techniques learned over time and develop a curriculum for future presentations.

Corporate directors are facing unprecedented pressure from shareholders and regulators and are consequently dialing up their level of scrutiny of IT leaders. These leaders should consider greater exposure to the boards as a personal career opportunity that should be managed carefully. By avoiding key mistakes in board presentation, IT leaders can build their board's confidence in their ability to handle information risk, and also their own credibility.

Jeremy Bergsman is an IT practice leader at CEB, a best practice insight and technology company. He oversees quantitative and qualitative research studies on topics including measuring and changing end-user behavior, risk assessment, roadmapping and planning. Educated as a neuroscientist, he holds a doctorate from Stanford University School of Medicine and was a postdoctoral fellow at Yale School of Medicine.

Next Steps

CEB on enterprise digitization: Six major shifts

Three communication tips for CIOs

Teaching the lingua franca of business

Dig Deeper on CIO career development and career paths