3 Tips for Communicating Cybersecurity to the Board

Whether your bank or credit union has $50 million in assets or $50 billion, presenting to the Board can sometimes be a scary endeavor for even the most seasoned IT professionals.

And we totally understand why.

The Board of Directors are a peculiar breed: they speak a certain language, expect brevity, and examine business practices from a birds-eye perspective. As an IT Manager, CISO, or CSO, your understanding of risk and compliance is intimate and understood in infosec terminology.

Clearly Communicate Risk During Your Board Presentation

Being able to effectively communicate with members of the board ultimately helps everyone: it gives the folks in the room the ability to make informed decisions about data security management and compliance so they can properly allocate resources and hire personnel, and it gives you the chance to educate the most influential shareholders on how well your security program is performing, as well as where you could use their support to make improvements.

In order to most effectively communicate risk mitigation with the board, follow these 3 tips.

1. Use Universal, Non-Security Terms


The world of IT security is riddled with technical jargon and acronyms understood by very few. You can almost certainly count on the Board of Directors to not be well-versed with this language, nor have the time to learn it. Phrases like “the probability of SQL injection on database servers” should be left in your office, not at the head of the Board table.

Take efforts to align your language with those to whom you present. Define a lingua franca immediately in your presentation by very briefly reviewing how your organization defines the few technical terms you cannot avoid using. Put everyone on the same playing field through your language, and you’ll find your words carry more weight and persuasion from the start.

Knowing what types of words to avoid should get you out of the room with your job still intact; knowing the specific words to use may get you out of the room with everything you need to mature and advance your security program. Talk in terms relative to the way they think about the business of the organization. For example, classify urgency by how it might impact shareholder value.

2. Be Quantitative Whenever Possible

Risk should be presented in business terms, or financial terms, to render a deeper understanding of your IT risk environment and security control framework. Your stakeholders need to know both to make informed decisions. It is your job to make this possible.

Coming to the table ready to explain risk using financial terminology starts by using a modern framework. Tools like the Rivial risk management methodology are meant to help your organization better measure risk, and you can use the results to make better business decisions. To further capture the attention of your shareholders, explain how the risk levels might impact your organization in dollar-value if not mitigated.

3. Come with Issues, But Also Solutions

When all is good news, the CEO presents to the Board; when problems arise, the CEO still presents to the Board; but when a specific problem arises, the CEO calls up the in-house expert to present to the Board. Chances are, when you’re walking into that room, it is under the pretense of one of these specific problems.

It is vital that your presentation properly addresses whatever issues pose a threat to your organization, but come bearing solutions. It is best advised to use data to explain the problem, and how that same data provides you with a way to solve it. Remember, no one likes hearing bad news, but if the remedy is readily available, it helps to ease the pain of it all.

Despite all the cybersecurity breaches stealing headlines over the past few years, IT security is still understaffed and under-budgeted. Take your opportunity in front of the Board of Directors to plead your case for expanded budgets and new hires. Again, these individuals are the most influential shareholders in the company. Give them a reasonable proposal to improve the cyber security functions of their company—which will hopefully coincide with a much more manageable workload for yourself.

Delivering a Successful Presentation

Rivial Data Security aims to make IT risk management as holistic, effective and painless as possible. Check out how our SMO tool, the Rivial Platform, can help you build and mature a solid security program.