Get started Bring yourself up to speed with our introductory content.

How should CISOs present a security assessment report?

CISOs regularly have to present a security assessment report to the board of directors. Expert Mike O. Villegas has some tips to make it more engaging.

Presenting to boards is part of my job as a CISO, but I'm starting to feel like I'm repeating myself every time...

I have to defend the security program. Is the traditional, defense ROI model presentation really the most effective way to present security topics to the board? Are there other, more creative techniques I can use to be successful?

The board of directors has many responsibilities, and because of an increasing amount of highly publicized data breaches, information security is gaining importance on the board's agenda. Board members are typically not technical, so they rely on the CISO to provide assurance that the company will not become another statistic, and if it does, the losses will be minimal, and recovery will be smooth and timely.

If CISOs are already providing the board a security assessment report, they are ahead of most others. The question is how to make the report nonrepetitive, relevant and informative. CISOs can use a security assessment report to better communicate the key security elements to the board: compliance, information, security and outlook.

A CISO security assessment report should document the state of compliance with regulations, laws and internal policies. The state of compliance report will vary in depth and importance, depending on the industry. It can be helpful to use a security framework -- such as ISO 27002, Cybersecurity Framework or COBIT -- to help determine the state of compliance for your enterprise.

Information is a CISO's greatest asset. Its value drives the protection efforts of the information security program. It needs to be risk-based and complement the compliance effort. Your state of information report should detail overall risk to the enterprise. Risk categories abound, but you need to work with your compliance and enterprise risk group to ensure information security risk aligns.

A CISO security assessment report should also include a state of security section, which covers all the areas that meet the selected vetted framework objectives. For example, if ISO 27002 is the framework of choice, there are 10 domains to cover. Not every section in each domain will apply, but the state of security report should highlight the areas that are fully deployed and working effectively.

An outlook report is another important part of a CISO security assessment report. It should detail areas of focus for the future. The outlook should be aligned with the overall strategic business model of the company. For instance, if the company performs Web-based transaction processing, it should speak of the channels affected. The CISO should state attack vectors that will come into play once the business model expands, even though they may be currently nonexistent. If the business model is legacy only, the vulnerability risks are primarily internal. If the company has retail stores, the state of outlook report introduces risks that can adversely affect the company, such as point of sale (POS), mobile POS, PCI compliance and continuous monitoring.

Board members do not want to be indulged in minutia. They need to know from a high level if there are areas of concern for security that need attention. They need assurance that the company has deployed sufficient mitigants to minimize risk. Some pundits have suggested that information security has a Return on investment. From a practical viewpoint, it's challenging to prove that deploying the vetted information security framework results in ROI because "something bad didn't happen."

Information security resembles insurance. A company buys sufficient coverage, so when needed, the company can recover and return to business as usual -- all the while trusting it will not have to use it at all. It would seem ill-advised not to have insurance because it has never had to use it, as it would be ill-advised not to implement security measures because they the enterprise hasn't had a breach.

The CISO's security assessment report should be comprehensive, relevant and easy to understand. Use the selected framework to create charts with colorful icons that depict the state of the CISO report. Make it graphical, understandable and use board vernacular -- do not use technical jargon that will lose your audience. Stay away from using fear, uncertainty and doubt, because that is short-lived. Make it interesting, current and relevant.

CISOs typically have five to 15 minutes to present the security assessment report, so plan accordingly. The board understands technology at the same level as most users today, but ensure that the state of the CISO report speaks of risks in business and strategic terms. If a board member decides to ask a specific technical question, don't resort to technical terms that will embarrass the questioner; instead, answer the question in business terms. This demonstrates to the board that you understand the business and they can trust the information security program to meet company objectives.

No one knows your company culture better than you. Be creative in developing your own report. Know your board and its members. Understand what keeps them up at night. Study the business model and craft your CISO security assessment report accordingly.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out specifically what should be included in security reports

Learn more about the CISO reporting structure

Check out this advice for avoiding executive turnover after a data breach


This was last published in January 2016

Dig Deeper on Information security program management