.png)
A practical guide to meeting diverse board expectations and delivering impactful presentations that resonate
One important truth often overlooked when communicating security to the board is that no two boards are the same. Many times, some members have a deep understanding of cybersecurity; others are just beginning to grasp the basics. Some understand nuances, and others require a high-level summary. Some want a straightforward security score, others focus on specific frameworks like NIST, and still others want insights into threats and compliance. Try as they might, security executives often find themselves speaking in "security language," struggling to make their messages resonate at each individual level.
There’s a profusion of articles giving advice to CISOs on presenting to boards: keep it simple, focus on high-level insights, avoid jargon, and use visuals like an Executive Dashboard. A common recommendation is to provide a “Top 10” list of metrics to highlight organizational security performance against a number of criteria — namely, risks, threats, compliance — without overwhelming the board.
The real challenge is not what needs to be measured—it’s how you measure it.
How do you narrate a story that encompasses a mass amount of data points into a simple answer to questions such as “Are we secure?” “Are we resilient”? “Are we improving”? “Are we ready for ransomware?”
What We've Observed from Hundreds of Security Leaders
Every board has its unique priorities.
True, your data measurement can serve multiple purposes—meeting compliance, addressing threats, improving performance or whatever else your board might want to focus on. But when it comes to reporting, it's key to go beyond raw metrics and craft a narrative that fosters:
1. Shared accountability: How do you streamline countless data points to show that you are meeting your goals, for example - compliance?
2. Resource Advocacy: How do you leverage your data to secure the resources needed to empower your team to excel?.
3. Risk Awareness: How do you adequately, and meaningfully expose board members to the critical risks and threats that might impact your organization.
The problem is that most security reporting methods lack the flexibility to cater to these diverse demands.
That’s because the board report is compiled with weeks (sometimes more) of data gathering from lots of different stakeholders, with different tales and different types of data that needs to be combined. If a board member asks a question to see the data and/or the perspective differently, this would require a whole new cycle of data gathering and analysis.
To be effective, security reporting must:
- Adapt to integrate the right metrics that support the particular objectives.
- Have the flexibility to highlight the different combinations of metrics depending on what narrative is being told.
- Offer historical context baked in to show off progress or decline.
- Show different perspectives so discussions can zero in quickly on what needs to be prioritized.
- Easy visualizations to make all this complexity super clear.
A New Way: Flexible, Data-Driven Reporting
Imagine if your board reporting could easily adapt to meet your board’s specific needs and form the narratives you want to convey. That’s the power of a flexible, data-driven reporting approach. With this new method, you can select the relevant metrics that tell the story you want—whether it’s focused on compliance, threat landscape, technical depth, or performance against organizational goals.
Here’s how this approach works:
- Data-Driven: Automatically pulls from all your tools to provide a comprehensive, integrated picture.
- Based on Ready-to-Use Metrics: A universal measurement language that’s easy to understand.
- Fast and Dynamic: Automated processes eliminate time-consuming data collection and aggregation.
- Two-Way Conversations: Boards can ask follow-up questions, request different views, or seek more detail without requiring you to restart the reporting process.
An example
Building a Narrative Around Compliance:
Let’s say one of your board’s key questions they are expecting you to answer is how well your organization is “Sustaining Compliance Standards.”
The New Way: With flexible, data-driven reporting, this work is already done. Here’s how:
SeeMetrics identified key objectives (OKRs) that security leaders want to present at a meeting. SeeMetrics built a list of specific KPIs against each OKR that, once answered, helps to measure each one effectively.
Take the OKR, “Sustaining compliance standards” – to measure and narrate around this story, SeeMetrics created 20 associated KPIs — one of which is: “Ensure we regularly evaluate NIST CSF controls and address any control gaps”.
SeeMetrics mapped out the dozens of metrics that would collectively help answer how well your organization is performing against this KPI, including
- % of NIST CSF controls successfully tested in the last quarter
- # of NIST CSF controls that failed testing and lack a defined action plan
- # of regulatory requirements not currently met, without a defined action plan
By aggregating lists of metrics by KPI, organized around each OKR, you provide your board with a clear, actionable score that reflects how well your organization is meeting different goals and standards – in our example above, compliance. And if your board wants more detail, you can zoom in to show the how’s and why’s on the spot.
Using SeeMetrics, you can prioritize different metrics i.e. assign different importance levels and weights to each one – with such weighing giving you the flexibility to emphasize what truly matters in your top-level narrative.
This approach enables your board to quickly grasp your organization’s status and pinpoint areas needing attention—all presented in a way that suits their knowledge and preferences.
Empowering Boards to Make Informed Decisions
This approach to board reporting not only saves time but also creates a more engaged, informed board. Members can ask questions, explore different perspectives, and gain insights into your organization’s cybersecurity posture without wading through technical jargon.
When it comes to boards, “different strokes for different folks” is more than a catchy phrase—it’s essential for effective communication. By adapting reports to meet each board’s unique needs, you’re not only delivering information but also empowering them to make informed decisions that drive the organization forward.
