Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations

With the right ingredients, you can nail your board presentation every time. Check out these recommendations from seasoned Fortune 1000 CISOS.

Presenting to the board can seem like the most daunting task to CISOs - but it doesn't have to be. It's as much about the preparation as it is having the right ingredients. A new report by the Executive Security Action Forum - an RSA Conference community of security executives from Fortune 1000 companies - aims to help CISOS improve their board presentations.

Titled "What Top CISOs include in updates to the board," the 34-page report shares insights on topics such as how to best structure board presentations and what topics to cover. The ideas come from eight unidentified CISOs working in seven different industries that the Executive Security Action Forum interviewed for the report.

Although there's no standard template or framework for how CISOs should present to the board, the report provides the following tips and insights to help make your board presentation a success. 

Five topics CISOs include in their updates to the board

The interviewed CISOs all touched on these five topic areas when briefing their respective boards: 

  1. Changes to the risk landscape, generally focusing on threats, while also covering regulations and contractual obligations 
  2. Priority risks, zeroing in on the cyber risks and/or risk factors considered the highest priority 
  3. Maturity score, calculating an overall score that reflects the company's security maturity and/or security posture 
  4. Security initiatives, addressing the progress of specific security initiatives 
  5. Security incidents, highlighting significant security incidents that affected the company 

How CISOS organize their updates 

Generally, how CISOS organize their updates varies by the type of content being presented and can be broken down into three main areas: 

  • Frequency: How often CISOs update the board. The report found that most CISOs typically update the full board once a year and a board committee quarterly - with board committee updates generally being longer and more detailed. For example, a CISO may have 30 minutes with the board committee and only 20 minutes with the full board. 
  • Format: How CISOs choose to present the materials to the board. The format of an update is usually a brief summary with an appendix. For example, CISOs may provide the board with a three-page summary that has a 30-page appendix including details and metrics. Other formats may include a presentation/memo or a pre-read. 
  • Flow of topics: How CISOs choose to order their topics. Some CISOs may choose to start with the status of the security roadmap while others may start with external issues, such as changes to the threat landscape. Additionally, topics that are covered may vary for an individual CISO. For example, certain topics may not be covered every quarter but rather annually or semi-annually such as a "board education item" that's on the agenda twice a year. Or, topics may change to reflect recent event in the year such as the completion of a project or an incident at a third party. Although the flow of topics may change overtime, most CISOs view updating the board as an ongoing conversation. 

(Source: RSA Conference's “What Top CISOs Include in Updates to the Board" report, October 2022)

How CISOS convey risks 

CISOs play a critical role in keeping the board updated on how their organization is managing risks. When it comes to the board's objectives for understanding how cyber risks are being managed at their organization, the board's objective include: 

  • Ensure risks are managed with due care. This is considered to be the fiduciary responsibility of boards. Additionally, CISOs must be sure to quantify risks in financial terms in their updates to the board. 
  • Demonstrate they have been providing oversight. It's imperative that the board knows and fully understands the gaps and are able to show they were privy to all the details and not just receiving top-level reporting. 
  • Hold the CEO and executive leadership at the company accountable for managing risk and conveying risk legal defensibility. For example, if an incident occurs, there is the potential for legal action against board members. Therefore, it's critical that board members are able to put themselves in a defensible position. They can do this by showing that they were adequately overseeing cyber risk management, including ensuring that risks were being addressed and prioritized in a reasonable way. 

When it comes to communicating aspects of risk management to the board, CISOs typically address this area from multiple angles to show that cyber risks are being:  

  • Monitored, by providing data on elements like new attack vectors, threat actors, vulnerabilities and regulations 
  • Analyzed and prioritized, by listing top risks, or breaking out risks by market or product areas 
  • Mitigated and reduced, by including metrics, security controls, plan roadmaps, gaps and costs 
  • Included in overall enterprise risks management, by explaining how cyber risks compare with the organization's other risks

(Source: RSA Conference's “What Top CISOs Include in Updates to the Board" report, October 2022)

Learn more 

For more information, you can request a copy of the full report or watch this on demand webinar.

To delve deeper into this topic, check out these articles and videos: 

Articles

Videos

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training