How to Navigate Board Meetings: A Primer for CISOs

Chief Information Security Officers (CISOs) are the point people for every organization’s cybersecurity. And when it comes to the boardroom, every CISO needs to be able to clearly communicate every aspect of risk management to the board of directors.

Board-level and C-suite conversations are a space to share cybersecurity expertise, flag any vulnerabilities, and contribute to decision-making.

In this FAQ primer, you’ll learn how to prepare for a corporate board meeting, so that you can confidently share your insights and keep business leaders informed.

1. What is a CISO’s role in board meetings?

A CISO is like the “bridge” that connects an organization’s cybersecurity with corporate governance and legislation. In other words, the CISO exists to ensure that each business is managing its cyber risks in a compliant way.

When it comes to updating board directors, the CISO needs to share:

• Emerging threats: These are any cyber risks that the business might face, such as ransomware attacks or supply chain disruptions
• Current vulnerabilities: The cyber risks which are most likely to occur, based on the organization’s current security measures
• Risk management strategies: The initiatives being taken to counteract these cyber risks
• Compliance: Whether the business is currently compliant with legislation and industry standards (more on this in the next section)
• Future trends and benchmarks: How the cybersecurity landscape is evolving, such as with generative AI, digital transformation, or the Internet of Things (IoT), and what the business can do to be ready

2. What US legislation should CISOs know?

Every country has its own rules and regulations, but here are some US-specific laws that every CISO should know to be board-ready.

1. The Health Insurance Portability and Accountability Act (HIPAA): A law to protect the confidentiality of patients’ health information.
2. The Gramm-Leach-Bliley Act (GLBA): A legislation that requires all financial institutions to communicate how they share information and safeguard their customers’ data.
3. The Sarbanes-Oxley Act (SOX): A set of auditing and financial regulations for public companies to follow.
4. The Payment Card Industry Data Security Standard (PCI DSS): A series of data security standards and resources to facilitate safe payments for everyone.

This is not an exhaustive list, as every industry will have its own set of standards. Every CISO and cybersecurity expert should have a comprehensive knowledge of these, as this will guide their initiatives and decision-making.

3. How should CISOs prepare for board meetings?

Meeting with corporate directors might feel daunting, but with the right preparation beforehand, any CISO or security team can take it in their stride.

Firstly, they should gather relevant cybersecurity metrics. Using data will help to convince board directors of the best strategies and initiatives, moving forward. (We’ll talk more about metrics in FAQ #6.)

Secondly, they should prepare for any questions that people in board roles might ask. By anticipating queries and objections, they can confidently share their cyber expertise right away.

And finally, CISOs should be aware of how cybersecurity is changing. Staying on top of the latest insights will give the board directors and stakeholders peace of mind, knowing that they’re one step ahead in the game.

For example, you can read CybelAngel’s 2024 cybersecurity report to understand the current landscape and use it to inform your strategy for this year.

4. What are the essential components of a CISO’s presentation?

Here’s a questionnaire to help you prepare your presentation to the board seats in more detail.

1. Cybersecurity metrics: What is the data showing (e.g. number of security incidents or response times)? Does anything need to change?
2. The threat landscape: What are the main cyber risks to be aware of right now? What trends are emerging?
3. Current cybersecurity measures: What are we doing to avoid these cyber risks? What are our strengths and weaknesses?
4. Incident response plans: What happens if there’s a cyber attack? How do we tackle it head-on? And have we done any simulations of this already?
5. Compliance effort updates: Are we compliant with current corporate governance and laws? When did we last audit this, or get a certification or an assessment?
6. Looking ahead: What initiatives are we planning for the coming months? How do these align with the board’s wider business goals?

5. What metrics should CISOs report to the board?

You should highlight cybersecurity metrics that are relevant to board members, including (but not limited to):

• Number and severity of security incidents: This shows how effective your current measures are
• Incident response times: This is an indicator of how effectively you can detect and resolve a threat
• Compliance metrics: These show the degree to which you’re adhering to current legislation
• Risk exposure of critical assets: This reveals the likelihood of your data being compromised
• Cybersecurity return on investment (ROI): This can justify your use of cybersecurity measures and show the financial benefit to the business

6. How can CISOs effectively communicate with the board?

Remember—not everyone has an advanced education in cybersecurity! Board members might not understand all of your technical expertise, so it’s essential to break down the information in a way that’s accessible and relatable.

Firstly, make sure you use clear language. Technical buzzwords might sound clever to you, but they won’t help your audience. Don’t patronize the board of directors, but equally, keep your explanations clear and simple to avoid confusion.

In addition to this, you should always try to give examples and visual aids to showcase your work. Plus, you can share case studies. For example, even Microsoft suffered a cyber attack in January, and LinkedIn had a data leak for 500 million users last year—showing that no one is immune! Stories like this will highlight the importance of your role.

Finally, link back to the main business goals. The board of directors might not understand every aspect of cybersecurity. But if you can connect it with their wider objectives, such as profitability or scaling, then your insights will resonate much more. We’ll explore this further in FAQ #11.

7. What are the common challenges CISOs face during board meetings?

CISOs, CIOs, and security leaders often have limited time to share their cyber expertise. A solution to this is to be succinct and focus on the key insights and recommendations.

Additionally, a lack of technical expertise among board members can be a drawback for CISOs. As detailed in the last section, they must find ways to communicate clearly—without being patronizing.

Finally, some board members may not want to invest in cybersecurity. Generally, this is because they don’t understand its profitability, and you’ll learn how to resolve this in FAQ #11.

8. How can CISOs address board members’ concerns about cybersecurity?

Board members might question whether cybersecurity is worth it, or whether it really has an impact. Plus, only 3 in 10 directors feel confident that the board could effectively handle a cyber crisis. 60% of respondents in the Spencer Stuart survey cited cybersecurity as a beneficial topic for director development, training, and education

Here are three ways to address this.

1. Share examples of cybersecurity threats: Tell real-life stories of cybersecurity incidents, and talk about the implications of an attack.
2. Demonstrate the ROI of cybersecurity initiatives: Showcase the cost savings and risk reduction. For example, cybersecurity services cost 8% of the average expense to recover from a ransomware attack. In other words, prevention is better (and cheaper) than cure.
3. Proactively educate your company: Run briefings or sessions to help board members understand the principles and importance of cybersecurity in more detail.

9. What are the best practices for engaging with the board outside of formal meetings?

Engaging with board members outside of these meetings isn’t just encouraged—it’s essential! The more communicative CISOs are, the more they can stay in sync with the board of directors.

CISOs should encourage board members to reach out for one-to-one meetings, briefings, and training sessions whenever they like. This will keep everyone on the same page, and reinforce the importance of cybersecurity across the whole company.

10. How should CISOs handle sensitive cybersecurity incidents during board meetings?

Cybersecurity incidents can be delicate, and CISOs need to find a balance between being transparent, whilst also maintaining confidentiality and communicating effectively.

Here are five best practices to help you get it right.

1. Stay composed and professional: Emotions can easily run high during stressful moments. But instead, stay calm and reiterate your confidence that the incident can be managed.
2. Share high-level updates: Give an overview of what happened, what the impacts could be, and the steps being taken to handle it.
3. Mention the legal and confidentiality implications: Outline the legal requirements during this time, and remind the board to respect confidentiality regulations at all costs.
4. Share reassurance and next steps: Confirm that the issue is being managed as a top priority, and outline how you’re mitigating the damage and preventing it from happening again.
5. Deliver regular updates: Keep the board informed of all progress. This will reinforce trust and keep them aware of how the situation is evolving.

11. How can CISOs align cybersecurity initiatives with business objectives?

Aligning your cybersecurity initiatives with the overall business strategy will help to get everyone on board.

For example, you can:

• Review your business objectives: And outline how cybersecurity will complement and safeguard these goals
• Share success metrics: Establish KPIs to show how your efforts are complementing business outcomes, such as improved customer trust
• Focus on business impact, not technical insight: Communicating in business terms will resonate more with board members
• Demonstrate ROI: Show how cybersecurity investment is much cheaper than the cost of a data breach, and that it can protect the company’s value and reputation
• Get everyone involved: Ensure that every department is invested in cybersecurity, such as by offering regular training sessions and briefings

12. What resources can help CISOs prepare for board meetings?

Getting ready for a board-level meeting can be stressful so here are 7 resources to simplify the whole process.

1. The NIST Cybersecurity Framework: A set of cybersecurity guidelines from the US National Institute of Standards and Technology.
2. EC-Council: A certification platform for CISOs, designed to help them “train for the C-Suite.”
3. Gartner: Get the latest reports and roadmaps designed for CISOs in 2024.
4. Dark Reading: A cybersecurity community news site to stay on top of the latest developments across the world.
5. CSOonline: A cybersecurity news reporting website to keep you updated on the most recent trends and stories.
6. TechTarget – Search CIO: A digital transformation, IT, and risk management news site for Chief Information Officers (CIOs).
7. The CybelAngel Blog: A blog dedicated to EASM cyber insights, covering everything from domain squatting to the dark web and beyond.

13. What are the consequences of failing to effectively communicate with the board?

The role of every CISO is underpinned by communication, communication… and more communication. When a CISO fails to communicate effectively with the board, it can bring consequences to the whole company.

Firstly, the organization will be more vulnerable to cyber threats. If the board doesn’t understand cybersecurity risks, then they may be less willing to invest in security initiatives, making the company more vulnerable to data breaches, ransomware attacks, and more.

Secondly, the business may be more likely to face regulatory fines and penalties. If the board isn’t prioritizing compliance, then some standards could slip through the cracks, and it could lead to fines and reputational damage later on.

Yahoo shareholder’s took action in 2019 with the New York Times reporting that, “The former officers and directors of Yahoo agreed to pay $29 million to settle charges that they breached their fiduciary duties in their handling of customer data during a series of cyberattacks from 2013 until 2016.”

Thirdly, the company’s reputation could suffer. Without the right cybersecurity measures, a brand could lose its integrity, and this could in turn affect customer and investor trust, along with future business opportunities.

14. How can CISOs boost their profiles in preparation for board meetings?

To set yourself up as an expert and gain board members’ trust, it’s important to nurture your professional image, both during and between meetings.

For example, you can…

• Grow your network: Attend industry events, engage with the CISO community, and reach out to influential figures in your niche
• Ask to stay for the whole meeting: This means you can build relationships with the board of directors and better understand the wider business goals
• Work on your leadership and communication skills: This knowledge will help you to stand out and be heard in the board room

By growing your contact list, being present for the whole meeting, and developing your soft skills, you can reinforce your technical expertise and build trust with the board of directors.

15. What if a CISO isn’t invited to board meetings?

CISO voices are severely underrepresented in board meetings. In fact, a recent study found that only 1.4% of companies have a CISO on their board—even though cybersecurity can literally “make or break” a brand’s image.

This means that CISOs need to proactively push to be a part of board meetings to ensure that cybersecurity remains a priority. This could mean networking with board members to raise the issue. It could also mean preparing a presentation to justify your presence at these meetings.

Take proactive steps to highlight the importance of your role, and why it should matter to the board, too. Remember‚ the success of the whole company depends on it—so don’t be afraid to push for a board seat.

(They’ll thank you for it later.)

Conclusion

Despite current trends, CISOs should be a part of every single board meeting. Their technical expertise will help board directors make the right decisions and keep their business safe.

If you’re a CISO getting ready for a board-level meeting, remember to:

• Focus on the business objectives: When your cybersecurity initiatives are aligned with the company’s goals, the board is more likely to pay attention
• Prioritize collaboration and transparency: Nurture your links with board members and encourage them to reach out to you anytime
• Communicate clearly: Avoid technical jargon and explain everything in clear, simple terms so that everyone is on the same page

And remember, if you aren’t invited to board meetings, this is your sign to change that. CISO expertise is vital to the functioning of any company, and board members will benefit from your insights.