How can Chief Information Security Officers and cyber security leaders avoid these board reporting pitfalls?
Firstly, you almost certainly have allies. This may include a Chief Risk Officer or Chief Information Officer. They will do their own board reporting, and will be used to the needs of individual board members, including non-executive directors whom you may not see frequently. Ask other leaders them what they do, review their reports, and consider whether they are well received.
Ask them to review your report, or mentor you in delivering it. Often others can see things we can’t because they have a different perspective. That includes spotting things that make sense to us, but not to anyone else.
Consider whether your reporting is consistent with other leaders who are reporting on similar areas such as risk and IT. Are you sending the same message, or a different one? If different, consider socialising it beforehand with other leaders and explaining why you are taking this to the board.
That does not always mean modifying your message: There was a time when I was advised by many not to mention that we had significant issues to tackle. Surprisingly to many, this was precisely the message the board wanted to hear. Because I had shared and discussed this plan in advance, once the board approved it, the need for a major cyber security program was accepted by senior management, even though the cost impacted other executives’ plans.
Do also familiarize yourself with your board. It’s highly likely that board members will be open to telling you directly what they expect, and it’s often possible to arrange an informal meeting. Be ready with questions. Learn a little about your board members and the other boards they are part of. Ask them about their experiences and what they found beneficial and effective.
Lastly, prepare and rehearse. In some instances, it took me over a year to perfect a basic template for board reporting, and then a few more years to fine-tune it according to the needs of board members and shifts in the board of directors’ priorities and objectives.
Creating board reports is not a simple task, especially in technical domains like cyber security where it’s challenging to obtain quantitative data that aligns financial impact or business goals. Effective boards will comprehend this and be ready to collaborate with you on it.
Nonetheless, bear in mind that the majority of the effort lies in the planning and interaction. A presentation to an IT team that lasts an hour might require 10 hours to draft and prepare, while a board presentation of 10 minutes might necessitate 100 hours of preparation.
If you’re pressed for time, view it as a chance to pose these questions and initiate a conversation about their expectations. Board members will almost invariably appreciate the transparency and engagement.