Making Cyber Risk Board-Ready: How Security Leaders Win the Boardroom

Kaila Mathis: Happy Thursday, everyone. Looks like we have our first guest joining in. I am going to hand it over to Alan to kick off our formal introductions in just a minute. But first, I wanted to say a few quick thank yous to our guests today.

Alan, our first ever guest moderator — this is huge. We are so happy to have someone with such a wealth of knowledge on this topic joining and leading the discussion. Thank you again for being here.

We have Charles joining as the head of security at Delve and also a former GRC leader at Netflix.

We have Chris joining as the director of security at Ashley Furniture.

And Keith, who will go into his very extensive breadth of experience, is now proudly our new CIO in residence at Dune Security.

Today we are going into a topic that is very highly requested from our audience: making cyber risk board-ready. I think it is going to be really tangible and valuable for everyone in attendance, and we will get into specifics about how you can translate lots of data and quantitative information into qualitative outcomes and results for GRC teams and CISOs.

For anyone joining us live, please feel free to drop your name, LinkedIn, and location in the chat. We would love for everyone to be able to connect during and after this session. If you have any questions, feel free to drop those in the chat as well. Alan will take a look at those during the Q&A portion later in the session.

Looking forward to a great conversation. I am going to turn it over to Alan to give more formal introductions and get things started. Thank you, everyone.

Alan Luk: Hey everybody, I am Alan Luk. I am on the GRC team at Microsoft Azure. A little bit about my career: I have 20-plus years in GRC. I started with PwC as an internal and external auditor, then went to Microsoft for over a decade doing second line of defense and compliance work, then led the GRC team at Grammarly reporting directly to the CISO, and recently came back to Microsoft.

I am super excited to play moderator for this session. Twenty-plus years in GRC and I have never personally been able to sit in on a boardroom meeting. I was never invited.

So I am really excited to pick the brains of the three gentlemen on this panel and ask my own questions, as if we are all having dinner together in a closed room. Hopefully our viewers will feel the same way and benefit from the insights shared. I will pass it over to Charles for a quick intro.

Charles Nwatu: Thanks, Alan. My name is Charles Nwatu, head of security at Delve. Before that, I was building out GRC engineering at Netflix.

I did not come into the GRC space directly. I started as an incident responder and detection engineer and over the years migrated into enterprise security and cloud security. I became really interested in what GRC can provide as almost a map for how things are going within your security organization, and in how to support security leaders in answering the questions boards have.

I am really looking forward to the conversation today and what we can share broadly with folks.

Chris Glanden: Hey everyone. I am Chris Glanden, director of security architecture, engineering, and network security at Ashley Furniture Industries — which is why my title is shortened on screen. It is a very long title.

I have about 25 years in the industry, including a significant amount of time as a strategic consultant. So in addition to my current experience, I have extensive past experience helping organizations get in front of the board and communicate effectively in the boardroom. I am very honored to be sharing the platform with these gentlemen today and looking forward to the conversation.

Keith Schlosser: Hi everyone. Keith Schlosser here. I am the CIO in residence at Dune Security and have been working with the team for well over a year.

I spent 36 years in insurance and financial services and have spent a lot of time in front of boards at Fortune 50 and Fortune 1000 companies.

This is an important topic. The first time you do it, it can be a bit overwhelming. The tenth time you do it, it can still be a bit overwhelming. Hopefully we can demystify some of this for you today.

Alan Luk: Thanks for all the intros, gentlemen. Let us get right into it. My style is to get into specifics and get in the weeds a little rather than staying high level. I think our viewers will appreciate that too.

First question: for many security and GRC leaders, the boardroom is a very small circle of people who are invited. It is kind of a black box. For those who do not have this insight, can you describe what a typical board meeting looks like? Who is invited, what are each person's goals, what is a typical agenda, and how much time is actually allocated to cyber risk?

Let us have Keith take the first response.

Keith Schlosser: Sure. This has evolved significantly over the last five years or so. When I first started interacting with the board, the amount of time allocated to cybersecurity was measured in under five minutes. It was typically a canned report, nobody asked questions, and that was it.

Fast forward to today and you are talking about very significant amounts of time that boards spend on cybersecurity. They are more knowledgeable than they were some years ago.

It is important to understand that a board meeting is actually a series of meetings typically done over multiple days. You have your risk committee meeting, potentially an IT and cyber risk committee, the general meeting, and a kickoff meeting. In all the companies where I have been involved, the cybersecurity function reported to me, so I was often in every meeting with the CISO joining where appropriate.

Each one of these committees or meetings has a different agenda. You need to think through who is in the room and who the audience is — including your colleagues, who might be hearing something for the first time and whom you do not want to surprise. And of course there are the board members themselves. Board members have different agendas, and doing your research and homework on what is important to each board member will serve you well over time.

There are a lot of meetings within the board meeting, and each one has a different agenda. The research you do ahead of time is critically important to getting the outcome you are after.

Alan Luk: I had a feeling it was not just one board meeting but a series of meetings with different audiences and different agendas. Charles, Chris, anything else to add?

Charles Nwatu: I think Keith brought out something very important. It is the meetings that happen between the meetings and the amount of work that goes into understanding the audience and the perspectives of board members, some of whom sit on other boards. There is a style and a stylistic nature to what your board members will consume and to the narrative development. There is a story of orchestration that goes into this, and that process takes time.

Whether it is the first time or the tenth time or the twentieth time, the process is key in terms of landing your objective or theme and how you go about doing that. The process behind the scenes is just as important as the meeting itself.

Alan Luk: Next question is for Chris. When cybersecurity is on the agenda in one of these board meetings, what are boards actually trying to understand or decide? And from the security side, what are security leaders hoping to get out of these conversations? Is it asking for budget, asking for support, alignment discussions, or just informing the board of the state of security?

Chris Glanden: They are expecting value within maybe two to three minutes, which is a challenge in itself. At a board level, they are not really trying to understand or grasp security controls at a granular level, and I think that is a common misconception going in. They are trying to understand the business impact and business exposure.

When approaching a board meeting, I think boards are trying to understand three things. First, are we likely to be involved in or impacted by a cyber-related incident? Second, what would it cost us financially if we were impacted by a cyber incident? And third, are we investing in the right tools and implementing appropriate controls to address that risk?

A quick example: at a manufacturing company like ours, the conversation is going to be less about data theft or insider threat and more about downtime. If manufacturing plants cannot run, revenue stops immediately. That is really the crux of what the board cares about.

Alan Luk: Let me dig into that a little. You have just a handful of minutes to say your piece, get reactions, and identify next action items. How do you actually prepare and present all of that in a matter of minutes in a way that gives board members enough context to walk away with the right decision or next step?

Chris Glanden: Hopefully you know your audience and who you are speaking to. You try not to get too granular and keep things at roughly a 10,000-foot level. When talking to boards, you want to hit on trends and top risks. Board members love to read Forbes and the Wall Street Journal. If you really want to resonate with them quickly, do some reconnaissance on those websites because that is what they are reading and what is top of mind for them in terms of risks.

In terms of depth, I only go deep when there is a major decision or when there is money attached to it. Otherwise, just go with a tight scope of what you want to present at that point in time.

Keith Schlosser: I would add a couple of things. It starts with the annual plan that is agreed upon by the board, and the metrics and approach to updating them are established early on before the new year. A lot of times I am preparing for a board meeting upwards of two months in advance.

Like Chris and Charles, I am also looking at the issues hitting the headlines and preparing months in advance for board questions. Those questions can come in via email if it is a current event, or they can be something the board has stored away and wants to raise.

The things they want to go deep on in the actual meeting are usually the things not tied to your prepared metrics, because they have read those metrics ahead of time. What I have seen in board meetings is questions around third-party risk, trends, and audit findings. Board members often will not wait for the audit meeting — they will raise audit findings in any meeting they have with you.

The last thing I would say is that a lot of conversation happens at dinners and coffee breaks. You need to understand that those are meetings too. That is not a place to let your guard down. You need to be prepared around the clock while the board meeting is happening.

Charles Nwatu: I would add that the key question is: what story or narrative are you trying to plant? Those dinners and informal moments are the formative times where you start planting the seed so that once you get to the actual meeting, the growth happens.

There is also a curious nature to some board members. They may have read something in the Wall Street Journal and want to know: how does this affect us? What are you doing about it? There is almost a reassurance element to the narrative you need to develop.

And sometimes your prepared deck can get wiped out entirely because something comes in so hot that it takes over the whole meeting. You may come in with a set agenda and then, to borrow the Mike Tyson saying, you get hit and have to reorient yourself and address the questions at hand.

Alan Luk: Off-script question that just came to mind. In GRC, we have different audiences with different incentives — legal, external auditors, internal auditors, security leaders. What category does the board fall into? Are you 100 percent transparent in these meetings, with all the dirty laundry on the table? Or do you keep things at a certain level, similar to answering only what is asked in a legal context?

Keith Schlosser: You have a lot of meetings before the board meeting — with general counsel, the CEO, the COO, the CFO, and so on. You need to make sure they are totally on board with everything in your pack. Typically there would be a read-through of the board deck, which can be 30 to 400 pages. Your job in those sessions is to get everyone on the same page so that when you go into the board meeting, you are talking about the things most relevant to the board.

Personally, I am never going to hide anything from anyone — not the CFO, the CEO, or the board. But you do not want them getting involved in the operational metrics of your organization. You want to provide them with enough information so that they can do their job, which is oversight of the company and understanding and reducing risk.

I have seen situations where people reporting to the board for the first time almost relinquish their operational rights to the board. If you do that, they will take it. It is a learned behavior and you will make mistakes in the beginning. The best thing you can do is find someone in your company who has been there and done that and ask them to mentor you through the first couple of meetings.

Chris Glanden: I would echo that. You do not want to hide information from the board, but you also have to be very careful with information disclosure. You go in with an agenda, and you do not want to cast a wide net that spawns a hundred more questions. Have that scope in mind and try to stay as close to it as possible.

Charles Nwatu: I would double down on Keith's point about finding a mentor — someone who has done this once or twice or even ten times. There is a building process that goes into this, and the narrative development and information disclosure considerations are things that can throw you for a loop. It is all a learning process about knowing the audience and what drives and motivates them.

Keith Schlosser: One more thing: in my experience, board members will ask you questions you do not know the answer to. You can count on it. The right answer is simply: that is a question I do not know the answer to, and I will get back to you before the end of this meeting. Do not try to bluff them. It will bite you and you will lose credibility that is very hard to get back.

Alan Luk: Bringing it back on script now. Let us talk about quantitative versus qualitative. There is a lot of debate in the GRC, risk, and compliance world about the need for quantitative metrics to land well with non-technical folks at the board level, versus the argument that quantitative models are a black box in themselves that generate more questions than answers. What is your stance on this? How do you translate cyber and user-driven risk into business-relevant terms that are digestible for board members? When does quantitative data help and when does qualitative context matter more?

Charles Nwatu: My belief is that security needs to talk in the language of business. The business understands its workflows in terms of how it generates revenue and manages costs. Security should be able to demonstrate its value and impact in those same terms — ideally as a dollar value. How does risk translate to business outcomes?

I think qualitative context is easier to consume, but I am not sure it provides the best insights for decision-making. Quantitative is more powerful, but it can sometimes feel like a black box. The key is trying to get a champion on the board who can help bring others along.

Chris Glanden: I try not to present security metrics in isolation. I try to emphasize business risk indicators. Dashboards and metrics have their place, but in the boardroom you have limited time. Packet capture stats or EDR agent statistics are going to put the board to sleep. You want to communicate the likelihood of a production shutdown or the risk of fraud.

The translation is about converting security terminology into business impact language. Vulnerabilities become serious system flaws that could disrupt production or customer orders and negatively impact revenue. Mean time to detect becomes how long are we going to be offline.

Every year I work with the board and the risk committee to agree on a set of metrics they can track over time. When I provide quarterly metrics, I also provide the previous three quarters so they can see trending. If there is a deviation, I explain it. When I get into the meeting, I assume they have read the deck and I say so. I ask if they have any questions, and if not, I say let us talk about what this means to our business. That approach seems to accomplish both the quantitative and qualitative aspects, and it leads naturally to the deeper conversation.

Chris Glanden: To add one more example: if you are migrating to Dune from a legacy security awareness training tool where everyone was previously passing, and now you have implemented Dune and the initial numbers look different, you are going to need to explain that. The business impact framing here is that the depth and breadth of what you are doing is significantly better, even if the early numbers tell a different story on the surface.

Alan Luk: What do you see as the hot-topic agenda items related to cybersecurity and risk in board meetings today?

Charles Nwatu: Data and AI. Those two in combination are what I am seeing most. It is almost a foundational business question — where are we and what are we doing with these things — not just a security question. That is what I am hearing about when it comes to what is keeping board members up at night.

Chris Glanden: I would agree that data and AI are number one. And the question is shifting. It used to be how are we using AI? Now it is how are we protecting the organization from the AI tools we are using? At this point, everyone is tapping into AI at some level. The board question is now about protecting data and systems, not just where AI is being deployed.

Keith Schlosser: I would add insider threat, which ties heavily to AI, DLP, and related topics. Both intentional and unintentional insider threat are still generating a lot of board questions.

Third-party risk is another significant one.

And an emerging topic I am starting to hear about from people who serve on boards is the quantum computing threat. There are regulations coming out in the next two to three years, particularly in Europe, around quantum computing and its impact on cybersecurity. Board members are reading about this in the Wall Street Journal and The Economist and talking to each other about it, so you need to be prepared.

Alan Luk: What is the expectation for security leaders when these recurring topics come up as standing agenda items? Is it just to have a plan? To monitor the risk level? What does the board actually expect from you beyond putting something on the agenda?

Keith Schlosser: Be a thought leader within your organization. Gone are the days where the CIO and CISO are kept out of sight somewhere in the dark. This is our opportunity to lead the conversation. If you are sitting across from the board, their level of expectation for you is very high. These are C-suite roles or roles reporting into the C-suite. The expectation is to be knowledgeable, to be a thought leader, and not to be afraid to share your opinion.

At the same time, if you have an opinion that could be controversial or outside the mainstream, make sure you are sharing it with the appropriate people in advance. It is okay to be a thought leader and to share your perspective.

Chris Glanden: What I would really like to see coming out of these conversations is alignment on priorities and understanding of the risk acceptance decisions the organization is making. Budget is often part of it, but if the board says we understand this risk and we are choosing not to fund addressing it, to me that is actually a win. It is a conscious decision made by the board versus the board unknowingly carrying risk forward.

Charles Nwatu: Chris brings up a great point about clarity and intentionality. Removing ambiguity — even if the decision is to do nothing — is just as clear a signal as deciding to act. And as Keith mentioned earlier, how do you trend those decisions over time and revisit them to provide additional clarity or reconfirm direction?

People need to be mindful of how much work goes into building that narrative, partnering with stakeholders, doing the prep work, the pre-work, the dinner work. There is so much that goes into what is sometimes a two-to-three-minute conversation.

Alan Luk: A question from the audience: Jeremy is asking, how do you counter a board member who tries to get too deep in the weeds?

Keith Schlosser: Artfully. First, if your partners who are running the board meeting — general counsel or the CEO — are paying attention, they will jump in. Part of their job is to protect you from having to answer those types of questions in that forum.

If that does not happen, I would say something along the lines of: that is a great question. I am not prepared to answer it fully at this time, but if you would like to set up some dedicated time to go over it in more detail, I would love to do that and welcome any other board member who wants to join. I want to make sure I give you a fulsome answer rather than responding off the cuff. That is how I would handle it.

Chris Glanden: I would add: try to redirect your answer back to the purpose for which you are there, which is to identify business risk and impact. You can go deep down a rabbit hole in those conversations very quickly, so try to be direct and redirect back to that core purpose.

Alan Luk: Another audience question from Y3, and Keith, this one goes to you since you brought up quantum computing: what are some policies organizations should have in place about quantum computing?

Keith Schlosser: I would not consider myself an expert on this yet, and I think it is an evolving issue. What I am doing is looking at emerging regulatory language and using that to help inform strategy.

The first thing I would do is get with your risk officer, if your company has one, and start talking about a strategy for putting some guardrails in place. Read as much as you can. Reach out to quantum computing organizations and ask them directly, because they are certainly fielding this question.

Go deep on the regulatory aspects. One thing I would advise against — and this could be controversial — is hiring a consultant too early, because a consultant is sitting at the exact same spot as everyone else on this call and will charge a significant hourly rate to arrive at the same conclusions. Be a leader, do your own research, and at some point you may want to bring in outside help or outside counsel. But there is a lot you can do on your own first.

Charles Nwatu: I would say there is something called quantum risk exposure. I would direct someone to inventory all of the controls and technology within their environment — VPNs, authentication mechanisms — and get an idea of what the target footprint looks like. There are experts in this field who specialize in it, but taking that inventory is a good way to get ahead of the question when it comes.

Alan Luk: One more question from the audience. Paul is asking how advanced threat and risk intelligence can be used in board meeting conversations.

Charles Nwatu: I think this is very particular to the industry and business line you are in. In my experience, these conversations can go down the rabbit hole quickly if they are not tangible to the business itself.

I would say that depending on your business vertical, advanced threat intelligence may be more appropriate as appendix-level data unless you can map it directly back to things that could drive operational outages or security-related outages that impact the business's ability to achieve its goals.

I have been cautious about bringing in purely threat-based data — particularly higher-order adversary information — unless there is an explicitly linked concept the board needs to be aware of. Using it as just another metric or data point without that context can create a rabbit hole conversation that is not actually beneficial.

Alan Luk: We are just about at time. Let us finish with a rapid-fire round-robin. One or two key takeaways for someone preparing for their first board meeting, or someone who got burned the first couple of times and wants to improve. Draw from personal experience and lessons learned.

Keith Schlosser: Be confident. You are the expert in the room when you are in front of the board. Your answers matter. Do your homework ahead of time, make sure everyone on the leadership team understands what you are about to say, and do all the prep work in advance so you do not have any missteps in the middle of the room that you have to deal with afterward.

Chris Glanden: Two soundbites you can use. First: boards do not want cybersecurity updates. They want confidence and reassurance that the business can keep operating. That is the bottom line for them. Second: if a board member cannot explain your slide or your message to another board member in 30 seconds, it is too technical.

I would add: avoid the technical overload. Board members are very successful people who do not typically get into situations where they do not understand something. If they do not understand what you are presenting, you are going to get an aggressive board member, and that will not work out well for you.

Charles Nwatu: Words matter. Clarity of communication matters. How you represent your information matters. The presentation and organization of your slide deck matters. Even the visual nature of how information is laid out and read matters.

Spending time with UX designers on how to plot information — colors, schemes, visual hierarchy — sounds like a detail, but it genuinely affects how people see information, retain information, and react to information.

Kaila Mathis: Thank you, everyone. I am not just saying this because I have you all in front of me, but this is really my favorite conversation we have had on Dune's webinars. There were tons of great questions, Alan — it was clear how much thought you put into putting this together. Chris, Charles, and Keith, amazing points throughout — everything from knowing your audience and reading the room, to making sure the narrative is focused on actual business risk indicators rather than technical information that either gets people too deep in the weeds or goes straight over their heads.

We are going to be sharing specific clips that we thought were particularly valuable with everyone who joined today, as well as anyone who signed up and could not make it. We will also send over an overall recap.

Please feel free to share this with anyone you think might find it valuable. And if you are interested in suggesting future webinar topics or participating in one, please feel free to reach out to our team. We would love to talk with you about that.

Thank you, everyone. We are going to wrap it up here, but please feel free to reach out if you have any more questions.