Strategies for Reporting Cybersecurity to the Board

Investment in cybersecurity has never been more vital to the ongoing health of organizations. As a CISO or similar executive leader, you understand intuitively the value of the work you’re doing in cybersecurity. But how do you explain the ROI of something that didn’t happen?

In other words, cybersecurity is all about not experiencing cyberattacks, and it’s challenging to quantify the value of hypotheticals.

The challenge of reporting cybersecurity clearly and effectively is even greater when considering the audience: usually, the stakeholders and decision-makers are not themselves especially technological people. The deeper into the weeds your cybersecurity reporting goes, the harder it will be for busy, non-specialist executives and board members to track with you.

At the same time, by delivering a truly engaging and effective cybersecurity report, you have the opportunity to gain the budget you need.

So, with the challenge of effectively reporting cybersecurity to the board in view, here are several strategies that can help you get your message across— and secure the decisions and funding you need to continue furthering your cybersecurity program investments.

Know Your Audience

Knowing your audience is key: to whatever degree you can, learn before giving the report who will be in the room.

Ideally, you want to walk into the presentation understanding both how much each member of the board knows about information security, and what areas of focus or responsibility each has. Knowing who cares most about what helps you to tailor your presentation: for example, this knowledge may direct you to focus more on the financial or operational implications of cybersecurity rather than the technical ones.

Keep Your Presentation Focused on Business Effects and Outcomes

With a diverse audience in view, most CIOs and CISOs will see the best results when they keep the presentation focused on business goals, outcomes, and effects, rather than on pure numbers or technical specifications.

You’ll typically have just 15 to 30 minutes to make this presentation, so it’s vital to make your case persuasively — and to do so neither devoid of data nor diving too deeply into it.

It can be hard for many with a career in tech to sort out what’s jargon and what’s everyday language. Don’t be afraid to pull aside a trusted peer — one that isn’t steeped in tech jargon — and walk through your presentation with that person. If your nontechnical peer is confused at any point, chances are one or more board members will be as well.

Paul Keener, SVP Head of Cybersecurity Operations at City National Bank, adds an important perspective:

“Demonstration is the most effective: demonstrating a real security flaw, there’s nothing better. Most people don’t really want to know about all the sausage-making that goes into building the attacks. They just want to see the end of it.”

When you focus on outcomes rather than technical details, people’s interest perks way up.

See more of Paul Keener in our recent round table discussion, Reporting Cyber Operations to the Board.

Choose Consistent Metrics and KPIs

This strategy looks at the long-term impact of your reporting over successive reporting periods. First, choose the set of metrics and KPIs that best reflects the needs and priorities of your business. These will not be identical for all: of course every organization prefers zero intrusion, but some businesses and industries put a heavier weight on confidentiality (even for mandated compliance), while others might put a heavier weight on data and systems crucial to business functioning.

Once you’ve determined strategic priorities and then chosen metrics and KPIs that measure progress toward those priorities, it’s important to keep those metrics consistent over time. Doing so delivers numerous advantages:

  • It gives you better historical data
  • It increases board members’ understanding of and familiarity with the chosen metrics
  • It shows your progress over time, which can be a corollary to ROI

As you build an ongoing data set, you’ll be better positioned to create supportive visuals that communicate more directly than raw data alone.

Start With Why

Every cybersecurity investment worth making has a “why”— some reason for spending the money and allocating the resources. And this “why” usually must go deeper than simply “to not get attacked.”

And there may be multiple why questions represented in your board: why spend this much money on this cybersecurity initiative and not another? Why spend it here and not in sales or R&D?

Your board audience cares much more about these “why” questions than about detailed facts and figures. Keep the strategic value of every initiative and project front and center, framing any necessary conversations about the facts and figures in a context that motivates people to stay with you.

Starting with why applies to reporting on existing projects (those already implemented), projects in progress, and planned future projects that need board approval.

Josh Copeland, Security Director (Cyber) at AT&T, gives his perspective on starting with “why”:

“When I can start with the why, then I can articulate the how and what we do to mitigate those changes. Because once they understand why it’s important, why it matters to them— I can lead them to choose to accept or transfer the risk as appropriate.”

Josh’s insightful comments come from another round table discussion on tactics for reporting cyber operations to line of business leaders. Watch the rest of the discussion below:

Good or Bad, Be Clear and Direct

No matter your aims or the board’s expectations, clarity and directness will deliver optimal outcomes. If you’re presenting less than favorable results on penetration testing or a failed business continuity exercise, it does the board no good to hear a watered down or downplayed version of events. By being clear and direct you may draw greater attention to something that you’d rather not highlight, but doing so may be the key to unlocking the funding or support you need to improve.

We give the same advice for good news: there’s no need to downplay or overstate success, but if a program or initiative is delivering results, this is certainly news worth sharing.

Be Prepared for Questions

Due diligence is vitally important as you prepare to address the board about cybersecurity. You’re likely to field unexpected questions, and these can run the gamut. An interested board member might ask specific or detailed questions about a current project or past event, while another might ask what you’re doing to prevent something similar to a high-profile cybersecurity event mentioned in the news.

SightGain: Your Partner for Risk Analysis and SecOps Performance Validation

Most of the strategies we’ve covered here have one thing in common: to do them well, you need clear, visible, actionable data on your information security processes, people, and technology. You need a solution that provides verifiable insights into real-world behavior, not just simulated attacks.

SightGain is the ideal solution for testing, measuring, and improving your cybersecurity efforts. SightGain delivers both the data you need to produce a compelling report to the board and the tools to make your organization’s real-world results something you can report on with pride.

Ready to see SightGain in action? Get a demo today.