A CISO Blueprint for an Effective Board Narrative

Many CISOs are technical at heart. Too often, they fall into the trap of discussing security activities—the number of incidents, vulnerabilities and exposures, patches applied, or hours of user training. If you’re still talking about operational metrics, you’re missing the opportunity to drive real influence with your board. Effective board communication isn’t about activities and how successful you are at driving more. It’s about framing the impact of cyber risk on the business, i.e., how it affects revenue, reputation, and cost. This blueprint will enable you to elevate your board narrative and position yourself as a true strategic partner, not just the head of IT security.

To deliver these insights, we partnered with Ed Amoroso, a Chief Security Officer (CSO) at AT&T for over 20 years, and had the opportunity to deliver dozens of board presentations. Ed delivered a live mock board presentation, which you can find here.

The Preamble: “What Do You Need to Know If You’ve Never Presented to a Board?”

When presenting to the board, whether quarterly or post-incident, communication is highly structured and time-constrained, and the content typically becomes much more abbreviated and curated than you anticipate once submitted for inclusion in the full board presentation deck. Don’t get thrown by last-minute schedule changes or content modifications–you’ll rarely get to present everything in your prepared slides.

Typically, board meetings involve formal presentations lasting 10-20 minutes (shorter is better), followed by a brief Q&A session. Generally, the board wants to hear about three things:

1. How are we doing right now?
2. What challenges are we facing?
3. How are we going to solve them?

For both types of board presentations, you’ll always want to tie your narrative back to the three questions above.

Two Types of Board Narratives

A CISO may be required to present to the board on a quarterly basis or specially requested sessions to discuss a recent incident.

Board Narrative for Incidents:

After a cyber incident, your first priority is to reassure the board that operations are stable and immediate threats are contained. Start by clearly explaining what happened, who was responsible (e.g., state actors, hacker groups), and how the situation was resolved. This shows that the response was thorough and well-executed.

Example from the live mock board presentation:

Your next step is to detail the business impact and identify any security gaps that need addressing. The board will want to know how similar incidents can be prevented.

Example snippet from the live mock board presentation:

You should then present recommendations for strengthening your defenses, such as improving visibility or implementing new tools and processes. This highlights your proactive approach to hardening systems and preventing future breaches. New CISOs, be advised that you should not ask for a budget to cover these improvements–the board is not the place to discuss budget issues. That will be a discussion between you and your executive staff.

If new tools and processes have been identified and scheduled for implementation, you must outline an action plan detailing the next steps for system improvements. Emphasize that ongoing efforts will be made to secure the organization. The key here is to restore confidence by showing that lessons were learned, corrective actions are in place, and long-term strategies will prevent future attacks.

Example snippet from the live mock board presentation:

Board Narrative for Quarterly Briefing:

You should start your presentation with a brief overview of your last discussion with the board. This ensures continuity and provides a reminder of the objectives and initiatives discussed. Highlight any major updates or progress made since then, focusing on the high-priority tasks.

Example format from Balbix’s downloadable template 9 Slides Every CISO Must Use in Their 2024 Board Presentation:

Make sure to include updates on ongoing projects or improvements, and explain how the last set of recommendations were implemented. This section should reassure the board that actions taken were effective and that the cybersecurity posture is continuously evolving.

Next, you should move to a risk landscape update. This involves detailing new or emerging threats, as well as reviewing persistent risks from previous updates. Ensure that the board understands how these risks are currently being mitigated and what steps are being taken to prevent disruptions.

Example from Balbix’s downloadable template 9 Slides Every CISO Must Use in Their 2024 Board Presentation:

Following the risk landscape update, you will move on to discuss cyber risk metrics detailing your current security posture. Present clear, data-driven insights that reflect your organization’s security status. This might include the mean-time-to-remediate, incident response times, or the financial implications of potential vulnerabilities. Metrics help the board assess how well you manage cyber risks and whether your strategies work.

Example from Balbix’s downloadable template 9 Slides Every CISO Must Use in Their 2024 Board Presentation:

Finally, discuss any special topics, such as new compliance requirements, significant technological developments like AI, or the rise of new threat actors. Conclude by framing how these emerging challenges or opportunities may influence your future cybersecurity strategy, ensuring the board is aware of how external factors may impact risk management going forward.

Example from Balbix’s downloadable template 9 Slides Every CISO Must Use in Their 2024 Board Presentation:

Questions Boards Ask and How to Respond: It’s All About Business Disruption and $$

Beyond the standard board questions listed above, board members will often throw a curve ball, an open-ended question that will require you to think on your feet, no matter how prepared you are:

• Risk to the business: “How did the security incident impact our operations?”
• Financial implications: “What’s the cost of mitigating or not mitigating a risk?” and “How have existing cyber investments improved our security posture? What is the ROI?”
• Compliance Impact: “Did we need to file a report with the SEC after an incident?”, “Did we incur fines?”, and “What was the material impact reported in monetary terms?”

Always respond with concise, actionable answers. Avoid jargon and emphasize how security initiatives tie back to business continuity and financial outcomes. When discussing incidents, provide clear timelines for mitigation and explain the long-term benefits of any proposed solutions.

Where Do You Go From Here?

After your board presentation, follow-up is critical. Provide regular updates on the status of any approved initiatives and prepare for the next round of questions. Each presentation builds on the last, so maintaining transparency and a forward-looking approach will help ensure the board remains confident in your cybersecurity strategy. Sharing a standardized risk dashboard like the following can help communicate the current state of vulnerabilities, categorized by factors like operational disruption, financial loss, and reputational damage. This keeps things transparent and helps the board see the bigger picture.

Example from the live mock board presentation:

Request a Demo

If you are facing inaccurate and incomplete asset inventory, challenges quantifying, prioritizing and remediating risks that can negatively effect your board metrics, we recommend you request a demo to see how Balbix can solve these issues.