How to: Report to The Board
Here at TrustMAPP, we talk to CISOs daily.
We spoke with over 20 CISOs about what the most important part of their report to the board is…and we got 20 different answers of course.
“Know your board… do research on other boards they serve on and companies they’ve worked for. ” – Jason Lish, CISO at Lumen Technologies
“There is no one ‘The board’. Learn what the board prefers in terms of communications both collectively and individually.” – Allan Alford, CISO at TrustMAPP
“I think numbers are going to be increasingly important with boards. We shouldn’t be asking the board for cash: they have a governance role, not an operational one.” – Rich Mason, Former CSO at Honeywell Global
We understand the importance of reporting to the board and the variations of said reporting. So, we’ve consolidated responses and variations in data representation and created a Board Reporting Best Practices Framework:
3 things to consider in your presentation before you start preparing:
- How long will it take to put together?
- Are you telling a compelling story?
- Are you confident in the content?
What every board report should cover:
- Posture to An Industry Framework
- A Heat Map of Highest Risk
- A Discussion of “Intolerables” and POAM
The primary duties of a corporate board you should take into account:
- Duty of Care – Prudent use of all assets, including facilities, people, and goodwill
- Duty of Loyalty – Ensuring activities and transactions are in the company’s best interest and advancing its mission
- Duty of Obedience – Ensuring compliance with all applicable laws and regulations and adherence to own bylaws and stated mission
5 questions your board WILL ask and how to answer them according to Gartner®
- The Tradeoff Question: Are we secure enough?
- The Landscape Question: How bad is it out there?
- The Risk Question: How exposed are we?
- The Performance Question: How are we performing?
- The Incident Question: Are we prepared to respond effectively?
Responses to common questions asked by the board, according to Gartner:
Question 1: What is X? What should our approach to X be?
What they mean: We don’t know what bad, good, or great looks like.
How to respond: Provide a definition and big-picture representation of what the enterprise currently has and specifically how it got that way.
Question 2: Why do we need X, or why is X that way?
What they mean: We don’t know how to make decisions about this.
How to respond: Map business capabilities to X and describe limitations of the current state
Question 3: What are our options regarding X?
What they mean: Help us figure out the flexibility and levers we have in order to use this to impact business outcomes.
How to respond: Co-create and negotiate the strategic story through a persistent focus on cost/value/risk trade-offs of the different options. Do not endorse an option you do not control.
Question 4: How does X work?
What they mean: Tell us how it works so we can tell you what to do.
How to respond: Educate, demonstrate and create a framework story to guide the conversation.
Save time preparing your board report and tell the board what they really want to know.
Download and customize your Board Reporting Presentation Template HERE.