This blog is a smaller part of an article in Bugcrowd’s newest report, Inside the Mind of a CISO. Check out the report for the full article, along with other thought pieces, infographics, and data analyses for CISOs and security leaders.

Boards routinely approve significant growth investments but freeze when CISOs ask for budget to fund security initiatives. This disconnect isn’t a result of your presentation skills but the lack of context. Specifically, most board members lack the technical context to understand security risks (or tradeoffs) to evaluate your proposals against other initiatives, which makes it challenging to get their buy-in.

Your role as CISO is to bridge this gap by helping the board and executive team calibrate risk tolerance and make informed tradeoffs that align with organizational goals. This requires translating risk to help them understand what level of risk they’re comfortable accepting.

Let’s break it down further.

What is a board looking for?

The first step is to understand what a board is looking for. Every board is looking for clarity on these three questions:

  • What do I need to know? The board wants a high-level understanding of the current state of the security system and risks that keep you up at night. This also includes any critical data points or trends that you and the team are monitoring.
  • Why do I care? The board needs to understand why the risks and trends matter for the business, whether it’s a threat to operations or a regulatory/compliance need.
  • What do you need from me? The board wants to know what you need them to do to prevent risks from materializing, whether it’s greenlighting a funding request or getting executive alignment on a strategic direction.

Craft a narrative

Board members understand business stories better than security metrics. They want to see progression, learn from challenges, and understand how decisions play out over time. This is why the most effective CISO presentations are built around story arcs. Here’s a rundown of how to begin crafting your narrative.

Make each meeting a new chapter

Think of your board presentation as part of an ongoing story, not a status report. You want to build on previous decisions and show how they’re being addressed to create an ongoing story about the state of the organization’s security. This requires you to translate technical risks into a compelling business narrative that helps the board understand why the risks matter for the business, which builds mutual understanding and trust.

For example, you could start an audit storyline with, “We’ve got the audit coming up next month, and we’ve expanded our scope. We’ll likely see new action items because we’ve never thoroughly audited this.” Then, in the next quarter, continue the arc: “Here’s what was accomplished. Here’s what we learned. Here’s what it means for the business. This is what we’re going to do about it.”

Dashboards: A picture is worth a thousand words

To help your board buy your narrative, use dashboards to support your story with metrics. Focus on showing trend lines that demonstrate what’s working, improving, or failing over time. It’s best to use the same dashboard structure each quarter so that the board can quickly understand the data.

Choosing the right metrics

To build the best dashboard, you need the right metrics to tell your story. Focus on binary metrics, such as simple yes/no answers to questions like, “Do you have this coverage?” These work well because cyber insurance underwriters have learned that they correlate with actual breach payouts. This can include the following:

  • End-of-life timelines and upgrade plans for software
  • Coverage metrics (e.g., logging, EDR, and system inventory completeness)
  • SLA adherence by risk level (not total vulnerability count)
  • Security baseline compliance
  • Hygiene indicators (e.g., patch compliance rates, incident response training frequency, and backup/recovery testing results).

Come prepared with options

Once you have your narrative, present options for your top risks to help the board understand how they can help. Highlight the costs, timelines, and resources for each priority to make sure the proposals are clear.

The finishing touches

You’ve built the narrative. Here are tips to ensure it lands effectively:

  • Know your fundamentals—Make sure you have an in-depth understanding of your attack surface, data locations, and SLAs.
  • Align with your executive team—Get consensus from leadership on your risk priorities and recommendations before your board meeting to present a united front.
  • Calibrate based on the board’s technical literacy—Use this knowledge to decide the right context level for each topic.
  • Present with conviction—State your confidence and conviction levels honestly.

When it comes to boards, credibility is everything. If you’re not believable, you’re not safe.

The best way to build credibility is to create a clear, compelling narrative that your board can understand, changing them from security skeptics into advocates.

Tags: