Why Board Prep Is So Hard and How CISOs Can Make It Easier

This is the third post in my series on how CISOs can build trust and operate more effectively in the boardroom. As with earlier posts, it draws on conversations with CISOs who joined us for a Security Impact Circle workshop in Palo Alto, as well as leaders who routinely brief Audit Committees and full boards. One theme surfaced repeatedly: board preparation has quietly become one of the most demanding parts of the CISO role.

From serving on Audit Committees, I observe how CISOs must tailor messages for directors with widely different backgrounds, manage tight schedules, reconcile inputs from multiple internal teams, and navigate organizational dynamics that make full transparency and alignment harder than they appear. This post looks at why board prep is difficult and what would make it easier, more consistent, and more strategic.

What Would Actually Make Board Prep Easier 

From the workshop and my own experience, four changes would materially reduce the burden and elevate the conversation:

1. Metrics that roll up the same way every quarter

Today, teams pull data from multiple systems, rebuild logic by hand, and hope the narrative aligns with the telemetry. A small, board-approved set of metrics, such as residual risk, recovery objectives, critical asset coverage, and incident trends, would eliminate rework and improve comparability.

2. Automated roll-ups from operational dashboards to board-ready views

This was the loudest pain point. CISOs want to pull real program data directly into executive-level framing without manual reconstruction. Automation here would save time, reduce errors, and strengthen credibility.

3. Deep alignment across assurance functions

Misalignment between Security, Internal Audit, ERM, and Compliance is one of the biggest risks to a productive board conversation. A shared taxonomy and coordinated action plans shift the board’s time from adjudication to decision-making.

4. Better visibility into what directors are hearing elsewhere

Even light-weight reports on industry developments, regulatory shifts, and emerging threats help CISOs anticipate questions and prepare proactively rather than reactively.

The Hardest Part: Preparing for Questions You Can’t Predict

Many CISOs told me the hardest part of board prep is anticipating the unexpected question. Directors sit on multiple boards, absorb different philosophies, and are briefed by Big Four firms, underwriters, and consultants whose perspectives may conflict with internal views.

As one participant put it: “We’re not competing with other companies. We’re competing with whatever another board told our board member last week.”

Take the seemingly simple question, “What percentage of revenue do we spend on security?” CISOs described pulling Finance data, calling peers, and offering directional ranges because meaningful benchmarks barely exist.

From the board side, I understand why the question is asked: it’s a quick proxy for whether security is appropriately resourced. But I also see how challenging it is when external inputs shape the conversation. Strong CISOs acknowledge the limits of the metric and shift the discussion to posture, priorities, and business impact. What I’m really assessing in those moments is whether the CISO can clearly articulate tradeoffs and bring the discussion back to risk and resilience.

The Manual Reality: Board Prep Has Become Its Own Operational Load

Nearly every participant said the same thing: today’s board prep process is far too manual and fragmented.  A common frustration was the sheer amount of manual work required. Many CISOs described a recurring cycle:

• Monthly security business review
• Monthly Enterprise Risk Committee review
• Quarterly Audit Committee meeting

In practice, this means only one month each quarter isn’t consumed by prep. Teams rebuild similar content in slightly different formats, pull data from inconsistent systems, rewrite narrative for each audience, and coordinate with Legal, Internal Audit, IT, Engineering, Privacy, and Product.

The Most Stressful Dynamic: Staying Aligned With Internal Audit

This was one of the most candid parts of the workshop. Several CISOs shared stories of misalignment with Internal Audit eroding trust, or, worse, of CISOs being pushed out because their narrative differed from the audit report.

Boards will always take Internal Audit seriously. When Internal Audit and Security tell different stories about the same data, directors are forced to decide whom to believe. That is an unenviable position for any CISO.

The CISOs who navigate this best focus on early and ongoing alignment:

• Agree on the underlying facts
• Understand how each function defines and measures risk
• Align narratives before materials go to the board
• Use a shared risk lens across ERM, Audit, and Security
• Present management action plans jointly when appropriate

When those groups show up aligned, the board gains clarity and confidence. 

Where CISOs Spend Too Much Time

When I asked what part of board prep they would make disappear or automate if they could wave a magic wand, the responses were remarkably consistent: “The entire presentation. Automate all of it.”

CISOs reported spending enormous time:

• Collecting and validating metrics
• Pulling data from scattered systems
• Reformatting and aligning slides
• Re-verifying facts with multiple teams
• Reconciling timelines, remediations, and audit findings

Another major time sink is alignment conversations. Many CISOs hold sequential check-ins with Legal, Finance, Engineering, Internal Audit, and the CEO before each meeting. These discussions are essential for credibility but consume significant cycles.

Another issue surfaced on the amount of time CISOs spend explaining external cyber ratings (e.g., Security Scorecard, BitSight) that show up in board materials, proxy advisory reports and underwriting discussions, despite often being incomplete or inaccurate. Correcting the record is time-consuming and boards have to recognize the tradeoffs on CISOs’ spending their time to do so.

Bottom Line

Board prep is hard because expectations are rising, inputs are fragmented, and current workflows keep CISOs in reporting mode instead of leadership mode. With consistent metrics, automated roll-ups, aligned assurance functions, and better insight into what directors are hearing, CISOs can spend less time assembling decks and more time shaping strategy.

Boards need a strategic counterpart who can connect risk, resilience, and business outcomes. Making board prep easier enables CISOs to play that role fully.