The 15-Minute,

7-Slide Security
Presentation
for Your Board
of Directors
Help the board
understand why
cybersecurity
is critical to the
business.
When the request comes in to give a cybersecurity presentation to
the board, security leaders should jump at the chance to educate
the executives. However, a lengthy, in- depth presentation is more
likely to leave the board scratching their heads than directing
resources the right way.

Gartner estimates by 2020, 100% of large enterprises will be

asked to report to their board of directors on cybersecurity and
technology risk at least annually.

The question is what’s the best way to get the message across
without losing the audience.

“Boards are becoming increasingly interested in security and risk

management; however, there’s often a misalignment between what
the board needs to know and what security and risk management
leaders are able to convey,” says Rob McMillan, research director. “It’s
critical that security and risk management leaders supply board-
relevant and business-aligned content that is not hampered by
overly technical references.“

Ensure the presentation answers key questions about how

“By 2020, 100% of
cybersecurity can and will support the company’s main mission and
business, relevant environmental factors and the extent to which
large enterprises
material risks are being managed. Most importantly, don’t allow the will be asked to
presentation to get bogged down in overly technical explanations.
And ensure each point is high-level enough that the board will report to their
understand it, but detailed enough to give them a true picture.
board of directors
McMillan suggests a “five slides in 15 minutes” style presentation,
with an intro and closing slide. on cybersecurity”

Slide 1: Get started

Slide 1 is designed to be the call to attention slide. It needs to be sparse, and simply
identify the topics you’ll cover in the following slides. No details are necessary, but it
should signal that the presentation will include information about business execution,
strategy, external developments and risk position. It’s high level, and sets the scene for
the board.

Key Points
We have some bright spots, but continued remedial work in several areas will
Business Execution
enhance business performance.

Our recent acquisition has a minor change on our risk position. All other material
Material Risks
risks are stable.

External Environment External events require only minor tactical responses.

Execution of current security strategy is largely on target. Our process maturity

Security Strategy
continues to improve, and it exceeds peer benchmarks and approach target.

Recommendation Note current state and endorse action plan.

Source: Gartner
Slides 2 - 6: Performance and
contribution to business execution
It can be difficult for CISOs to demonstrate how security contributes to business
performance. However, when presenting to the board, it is key to link (implicitly or
explicitly) security and risk to business elements that the board members value.

Whatever version of these slides makes sense for your enterprise will enable you to
highlight metrics and how the security team is contributing to the positive outcome.
However, you should also be prepared to explain potential problem areas and their
implications. Bring more detailed documentation on how each metric was produced for
any board member who asks.

Slides 3 through 6 should discuss how external events will affect security, an assessment
of the existing risk position (this can change depending on acquisitions and other events)
and the entire security strategy.

We Have Some Bright Spots, but Continued Remedial Work

in Several Areas Will Enhance Business Perfformance
Learning
Financial Customer Operational and Growth

 We will use security to
help grow the business
 We will be efficient in our
security management
 We will execute projetcs
on time and on budget
 We will manage our
suppliers cost-effectively
 We will provide a  Our tools will be fit for  Our people will be fully
high level of service purpose engaged
availability and
 We will execute change  Our people will make
continuity
efficiently and reliably the right decisions
 Customers will have
 We will embed  We will invest in our
confidence in our
continuous people and develop
services and facilities
improvement in our their expertise
 We will comply with all processes
 We will protect our
applicable regulations
 We will maintain our know-how as a
 The right people will operational risk to within competitive advantage
have access to the right a defind risk appetite
information

Source: Gartner

“95% of CIOs expect

cybersecurity threats
to increase and impact
their organization.”
 Slide 7: The call to action
Finally, wrap up the presentation with a closing slide to reiterate the main points and
any action items. The key is to close strongly, leaving the board confident in your plan
and abilities. Summarize the points you’ve made, and be clear about anything you have
requested. This is a good time to take questions, and thank the board for their time.

Action Plan
Board to note current state
� BAU work programs that uplift business performance will continue.
� Minor actions in response to external changes will be executed as BAU.
� No action is required for minor change in material risk position.
� Security strategy will continue as scheduled.
Regular board update to be delivered during the next half year.

Source: Gartner

“By 2022, more than

20% of businesses
will use financial risk
assessments of their
data assets to
prioritize investment
choices for IT,
analytics, security
and privacy.”

Join us at Gartner Security & Risk

Management Summit to enhance your
communication skills and confidently Learn More
deliver updates to the board.

28 – 29 October 2019 | Dubai, UAE

#GartnerSEC
gartner.com/me/security

© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
For more information, email info@gartner.com or visit gartner.com.