Five Questions CISOs Ask Themselves Before Giving a Board Overview

This post was contributed by Josh Bruyning, Cybersecurity Solutions Engineer at TrustMAPP.

They say the key to telling a good story is to know your audience; I’m not sure who “they” are, but “their” advice is as good for the board room or C-suite as it is for Harry Potter fans.

When presenting to a room of business-minded stakeholders, it is crucial to understand what they would like to know. Naturally, the process begins well before entering the board room, and preparation is vital. I’m not saying to go as far as psychoanalyzing each person in the room, but I’m not saying don’t either – to a reasonable extent. You may want to take time to meet with individuals a few days before your overview, enough time to put your finger on the pulse of the business, but not so little time to gather critical information. Review your story and make sure the language is clear, concise, and actionable, using business language or plain speech.

I’ll say this for those who have the attention span of a goldfish: Align your story with the company mission. Imagine how dissatisfied Darth Sidious would be after listening to Darth Vader emphasize the latest starfighter technology when the empire decided to use clones and issue blasters. Stick to the topic and, according to E.B White, eliminate needless words. Remember, your overview is not about you; it’s about your team. For the organization-minded leader, ego is the enemy we must defeat daily.

1. Will I surprise my audience with big news?

Whether good or bad, the unexpected could derail your overview, opening you up to unwanted questions and criticism and consuming precious time. If you must squeeze in a good surprise, you should be sure that your audience will receive the good news. Your story must relate directly to previous discussions that you’ve had with relevant parties in the days leading up to your overview. Telling the CFO that you’ve discovered a tool that will keep their operations secure and increase efficiency by half might not result in applause. You might spend the rest of your time arguing the finer finance details. Perhaps it would be better to meet with the CFO a few days in advance and describe your plan. When you have both come to a consensus and won stakeholder support, such news might produce delight and support in board members.

2. Have I collected enough intel on my audience?

Let’s not go too crazy with this one. We can spend endless time probing the nature of humanity, pouring our energy and time into the infinite well of human psychology. Create a quick profile of those to whom you will deliver your story. Think of your research as micro marketing. You are selling an idea or set of ideas to a group of people who possess collective and individual identities. Each person’s profile can serve the greater narrative as you draw commonalities between members. Perhaps the group is on the analytical end of the spectrum and would prefer numbers over words. If the group overwhelmingly consists of artistic individuals, craft a narrative that evokes emotion and inspires creative discussion. You may discover that there are extreme personality types in your audience, and you may decide to meet them somewhere in the middle. The objective is to avoid alienating anyone while talking to everyone.

3. Will my mom grasp your overview?

Have you ever tried to explain the internet to your mom? This will be a tough one, and I never said that delivering an overview to the board is going to be easy, even after reading this blog post. Recount the time your mom asked you to tell her why the printer doesn’t print or why the link she clicked on about winning a trip to Paris is not what it’s cracked up to be. The problem is not that your mom is unintelligent, an assumption that I made to comfort myself and justify my frustration, but instead, she knows too much. She trusts that when people tell her something, they usually are telling the truth. Technology often turns millennia of human social development on their head, making communication a social problem, not one of technological prowess. Instead of getting frustrated with m mom, I wish I could have gone back in time and told her that there are people who know how trusting she is, exploiting her goodness for money. Instead, I must have spent hours explaining how to identify malicious links. Stay away from features and stick to a vision of the company. Understand that most people won’t know what MFA is. And no, the answer is not always to cram the definition into their heads. The business is at risk because it’s easier for bad guys to overcome one roadblock instead of several, and right now, we only have one roadblock in place. But again, know your audience and tailor your communication to what they will grasp with the least effort. After all, a good storyteller does not depend on the audience to make sense of the story but delivers a predigested narrative to eager minds.

4. Am I aligned with the mission?

It is worth emphasizing the importance of business alignment. Disconnected narratives will result in a lack of actionable information and, at worst, can destroy the business. Take the time to comb through every item in your overview, measuring the degree to which you have successfully aligned your information with the organization’s strategy. Having access to written company strategies and objectives will help map each item to your overview literally. If an item in our overview has nothing to do with an article on the strategy page, nuke it. All good storytellers kill their metaphorical babies (no babies were harmed in the writing of this blog). Perhaps you are excited to roll out your fully optimized intrusion detection system plan. At the same time, the SOC auditor lurks outside, and you don’t have MFA implemented on a single endpoint. Maybe compliance comes before optimization, or else the business will die the death of a thousand fines.

5. Am I truly willing to listen?

Finally, we will discover the pain of ego death. To tell a good story and give an engaging overview, the self must take a backseat to the collective. One way to ensure that all your work is on track is to allow time during and after your overview for intentional listening. Whip out a notepad if you must. Although we’ve thoroughly prepared, what are the odds that our ideas are perfect? We want to emphasize those good ideas that can become great ones, which can happen only when we include all voices. Don’t take questions as a sign that you are unprepared or incompetent. Allowing time to let listeners voice their concerns and confront issues with thoughtful responses demonstrates emotional intelligence. You can pivot to an open discussion or follow up with interested parties for further collaboration. Not only will you perform prudently, but you will leave an impression on your audience, a phenomenon good storytellers call resonance.