Talking to the board is the easy part.
Part 1 In a series reflecting on the lessons every CSO needs to learn.
Being a CSO is not an easy job.
I figured that out for myself.
A great many other things, I figured out with guidance and insight from my peers. In fact, the most common pieces of advice I give to people new to this role is: “It’s important to build a solid network of other CSOs.” I find it immensely valuable to discuss the challenges I’m facing with others that are working to solve them at their organization too.
I’m personally committed to this idea. I’m on the board of the non-profit Bay Area CSO Council, a 501(c)3 where member CSOs and CISOs meet monthly for a few hours to learn from and share with each other. Naturally, there’s also a Slack Workspace where the discussions and collaboration continues with CSOs from outside the Bay Area, as well. The major parts of the job are strikingly similar, regardless of industry vertical or geographic region.
As you can imagine, these discussions coalesce around the top-of-mind questions that an executive accountable for information security faces. Not least of which, is trying to understand why we received unsolicited free nerf guns from a vendor. (I’m still not sure.)
However, these conversations are, more often than not, insightful. I’m the fortunate beneficiary of many insights from my peers. I thought I’d share some of them here, in a series, starting with one that’s frequently top-of-mind for me.
Talking to the board is the easy part.
Preparing a competent board deck is a straightforward affair. Pull some metrics from your various systems of record, craft them into some lovely color graphs, add some trend lines, maybe a short block of text with a key fact or insight, toss an agenda slide at the beginning… voila! you’ve got a board deck. You’re also the proud new owner of a missed opportunity.
When I started at Slack, the presentations I gave to the board were about my vision for the capabilities we would develop. Any hard data, which is always scarce in the beginning, was about our progress toward that vision. It was very much a narrative of the journey from nothing to something. Nowadays, with the initial vision largely realized, we’re talking with them about our journey of continuous improvement. There’s real data now and we’re using it to share how our something is constantly being churned into something better. But data isn’t a story in and of itself.
A few quarters ago my trusty Director of Risk and Compliance (Larkin Ryder) and I dutifully assembled just such a board deck. We agonized over the charts and bullet points for two weeks. We rehearsed, revised, and refined the delivery of the presentation. We felt good about it. We felt ready.
When it came to meeting time we delivered a crisp walkthrough of the data. *
“3 New items being tracked on the risk register…”
“…Time to close for incidents is trending down…”
“…Bug Bounty submissions are improving…”
We answered some questions and, as is typical, went over our allotted time and 10 minutes into the General Counsel’s time. Having well-executed the task at hand, I looked around the table. I received some approving nods, a very subtle “wrap it up” look from the GC (who now takes the time slot ahead of mine), and we were done. Larkin and I left the room, walked into the hallway, and headed toward the kitchen to debrief. We turned to look at each other. I asked the question that was on both our minds.
“How’d that go?”
“I think it was fine,” she said.
“Yeah. That’s what I’m worried about… I can’t help feeling like we could be using the time better.”
I’m very lucky. The members of Slack’s Audit and Risk Committee are seasoned executives. They are each brilliant in their own right, generous with their time, and thoughtful with their questions. Suffice it to say, they can “read a mean chart”. Long-winded expert analysis is not required to decipher whether the trend lines are good or bad. But that’s what we had just done.
I felt this nagging sense that we could do better. I was at a loss for where to start. I turned, as I often do, to my peers. The ensuing discussion about what, how, and how often they present to their board carried on for the better part of a day. It all seemed, to me, very familiar when compared with own my situation. Then, someone said something that stuck with me.
“Talking to the board is the easy part. Adding value to their thinking is hard.”*
*I can’t remember who said this to me. It was probably Bob Lord. It sounds like his particular brand of soundbite-worthy sage wisdom.
Tell your story.
The common lessons from that discussion are: CSOs have, at most, 4 or 5 opportunities to brief either the audit sub-committee and / or the full board each fiscal year. Many get only one. Some, get none (a travesty for a post some other time). This is an opportunity to help the board understand what the current threat landscape means for the business, for you to layout your strategy, and help them see how you think about the value and effectiveness of your program. You’re going to help them understand how security impacts the business strategically. You need to weave your brilliant insights into plans to improve things (you are improving things, right?), and your progress executing against that plan.
You can do that in, what? 45 minutes? Maybe 90 for your first session?
Cool. You have maybe 15 minutes.
Be consistent.
Even those blessed with an engaged board and a wealth of opportunities to brief them need to keep things focused. The most straightforward way to do this is to follow a consistent format and a standard template. Here’s what I use as a rough template for my board decks.
Key incident review
- High-level tick-tock, action items, and residual risk.
- If you wrapped up incident in the prior quarter that had, or may have, significant impact on the business, now is the time. Keep to the facts. This isn’t a dramatic retelling. Share what you and your peers are doing about it, and what (if any) is the residual risk to the business.
Internal roadmap
- Highlights, progress, wins(!), and lessons.
- If you’re meeting once a year: Spend a little time here to highlight what you accomplished over the last four quarters, and what you’re planning for the next four.
- If you’re meeting quarterly: Share the same highlights, but now your updates can be more timely and have a little more depth. Everything should tie back to business impact. Avoid the temptation to read off your Quarterly OKRs or Goals verbatim, this isn’t the place for that.
Top of mind
- Hold this space to cover any other important topics that need board attention.
- Changes in material risk; Significant shifts in the threat landscape;
Appendix
- Operational metrics (1–2 Slides per Functional Group).
- Keep doing your exquisite charts and tables for your operational metrics, but stuff them in the appendix.
- If you’re in a regulated industry and you have some set of mandatory information you need to share, this is the place.
- This is a holding pen for information you’re not going to cover in your presentation, but is important regardless. Your board members will read these slides ahead of time and they’ll bring questions to the meeting, if they have them. So, you still need to be able to speak to the information, even if you don’t present it.
You’ll also want to spend some time being prepared with thoughtful answers and insights about current events in security relative to your company, competitors and peers. You don’t need a slide for these. Your thoughtful responses will reflect well on you.
Get Perspective.
With this new found wisdom and perspective, we hit upon a wonderful way to help improve your board presentations. Do a dry run of the board deck with smart, non-security people.
Here’s how it works:
Got a Head of Corp Dev, Head of Corporate Strategy, or someone else that thinks about the business holistically, like a board member? Perfect. They’re your new best friend, if they weren’t already.
Ask your new best friends for an hour. Present your deck to them. Cold. No prefacing or read ahead. Limit yourself to ten minutes. Then, ask them what they heard; what they learned; what they think of the security programs, and the enterprise’s risk, based on this. Then, and this is very important, shut up and listen. What they say next will be raw, Grade A, premium quality feedback. You’re going to be tempted to clarify, restate, and frame.
No.
Shut up.
Listen.
Take fastidious notes.
Once the vein of feedback runs dry, and the awkward silence gets… awkward, run them through again. This time spend as much time as needed and verbosely explain what you wanted them to walk away knowing. Then, ask them “Knowing what you know now, what could be better?” Spend whatever time you have left taking notes and thanking them. Then retire to the glorious afterglow of teamwork, and go make your deck better. Do this as often as they’ll tolerate (once a quarter should be more than enough).
Rinse, repeat, wipe hands on pants.
Takeaways:
Build a network of your peers.
- Being a CSO is hard. Sometimes it feels like uncharted territory. Sometimes it is. Other people are facing or have already solved the same challenges. Seek them out. Learn from them.
Tell your story.
- Let data speak for itself. Your board can read a chart. They can’t manage a security program. Tell them what’s going on in the world and how it impacts the business. Tell them what’s going on with the security program, and how it will help the business cope with what’s going on in the world.
Be consistent.
- You have precious little time. Dazzle your audience with your insights. Don’t distract them with a new format each time you meet.
Get perspective.
- You know your world better than anyone. Your mission is to inform and engage an audience that knows nothing about it. This is not a skill that comes naturally. Try your deck out someone outside your bubble. Their perspective will be good, their feedback will be great.
Every business is different. Every board is different. But, every board benefits from you thinking about how to use your short time together wisely. Use every moment between board meetings thinking about what you need them to know, what you want them to take away, and be prepared.
