Wiz
Blog

Emily Heath’s 5 Key Questions CISOs Should Ask Before Board Meetings

Experts share a powerful framework and strategies for effective board meeting preparation and communication.

Ryan Kazanciyan
3 minute read

 I recently hosted a webinar featuring cybersecurity experts,  Emily Heath, General Partner of CyberStarts and Jeremy Smith, CISO of Avery Dennison shared invaluable insights on preparing for board meetings. As the role of CISOs continues to evolve, understanding how to effectively communicate with board members has become crucial. Let's explore some key takeaways from this discussion. 

Emily Heath, drawing from her experience as both a CISO and board member, introduced a powerful framework consisting of five essential questions that CISOs should address when preparing for board meetings to make your presentation relatable to both technical and non-technical audiences: 

1. What matters most to your organization?  

Heath stressed the importance of pinpointing your organization’s “crown jewels” and tying your security initiatives to what’s most important to keep the business running.  When identifying your own company’s “crown jewels”, focus on what’s most important for your company to operate; this includes your data, systems with sensitive data and operationally critical systems and technology.  Whether you're an airline protecting passenger data and your reservation platform or a tech company safeguarding intellectual property and customer data, you can frame security discussions in terms that resonate with board members and demonstrate the direct impact of security initiatives on business success. 

Once you’ve answered the first question, frame the next four questions all around it.  

2. Where are these critical assets located?  

Identifying the location of critical assets is crucial for effective security planning. This question prompts CISOs to map out where sensitive data and operationally critical systems reside, whether on-premises, in SaaS applications, or in the cloud. By presenting this information to the board, you can illustrate how your security strategy adapts to different environments and highlight areas that may require additional resources or attention. 

3. How are you protecting these assets?  

This question allows CISOs to showcase the specific security controls and measures in place for critical assets. It's an opportunity to demonstrate the depth and breadth of your security program. When addressing this question, consider explaining not just what controls are in place, but also why they were chosen and how they align with industry best practices or regulatory requirements. 

4. How vulnerable and at risk are these assets?  

Instead of overwhelming the board with technical metrics, updates on your Vulnerability Management Program should be centered around the first question and how your team focuses on the biggest priorities. Heath recommends highlighting how quickly critical vulnerabilities are addressed for key assets. This approach provides a more meaningful understanding of risk. Consider presenting trends over time, showing improvements in vulnerability management, and explaining how you prioritize and mitigate risks to the most critical assets. 

5. How prepared are you when something goes wrong?  

This question addresses the organization's ability to continue operating in the event of a major breach or ransomware attack. Use this as an opportunity to discuss your incident response plan, business resilience, backup and recovery capabilities, and any lessons learned from past incidents or near-misses. Highlight how your team stays prepared and ensures your most critical systems have the data backed-up in addition to the infrastructure that holds the data in the event of an attack. 

Conclusion 

By addressing these five key questions, CISOs can effectively frame security discussions in business terms, providing board members with a clear understanding of the organization's security posture, risks, and preparedness. This approach helps align security initiatives with business objectives and facilitates more meaningful conversations at the board level.  

6 Steps to Effectively Discuss Cloud Security with the Board

Cloud security is no longer confined to technical discussions—it’s a board-level priority. Security leaders need to speak the language of risk, strategy, and impact to effectively discuss their programs with company leadership.

Download

Ready to continue your journey of cybersecurity leadership? Register for our CISO webinar series to stay ahead of the curve and enhance your ability to communicate effectively with your board. 

Tags
#Security

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo