5 key mistakes IT leaders make at board meetings

It’s not uncommon for CIOs, CISOs, and sometimes their direct reports to be called on to participate in board meetings or to present IT strategies and plans to their boards of directors. If you don’t join board meetings often, preparation is paramount, starting with learning about the directors’ backgrounds and reviewing minutes from previous meetings. And if you’re presenting, it’s best to study older board packages and consult with colleagues about how the directors discuss, debate, and finalize key decisions.

Best practices for board meetings abound. When presenting, you’ll need to win over board members by doing your homework, communicating in business language, and practicing the presentation. When presenting significant innovations and digital transformation investments, preview the presentation to the executive committee, illustrate where customer feedback experiments are needed, and expect detractors seeking perfect roadmaps. Be prepared to answer common board questions about cyber readiness, technology roadmaps, and plans to hire and retain a diverse team.

But when I think about my own board presentations and meetings, it’s the simple mistakes I remember most. So too is the case for many IT leaders I speak with. With that in mind, here are five common mistakes IT leaders make when participating in board meetings.  

They assume their board lacks technical expertise

In 2019, MIT reported that only 24% of US boards of companies with over $1 billion in revenue were digitally savvy. A more recent review reports that only 51% of Fortune 100 companies and 9% of Fortune 200 through 500 organizations have a director with relevant cybersecurity experience.

While these numbers suggest a significant technical and security gap on the boards of large enterprises, it would be a mistake for a CIO or CISO to assume their board lacks digital, data, security, or other technical acumen.

“The structure of the boards have changed over the last few years with many being augmented with technology folks, including ex-CIOs in many cases,” says Manoj Tiwary, CIO of Subaru Canada. “So identify one of the board members as your champion. Make sure you work with this champion outside of the board setting to ensure alignment and adoption of your technology strategy.”

They favor technical jargon and convoluted answers

In Digital Trailblazer, I tell the story of the early internet days when a director asked me, “What’s a cookie?” My first instinct was to provide a technical answer, but then I quickly realized that if I answered the question that way to the board of directors, I’d be shown the virtual elevator down to the CTO morgue.

“CIOs can’t answer questions about key or current IT issues through unintentional, or perhaps intentional, obfuscation,” says Joe Puglisi, a former CIO and now an investor, advisor, and board member. “Nothing baffles the board more than a long string of techno-babble mumbo-jumbo.”

It’s important to avoid speaking technical jargon, but sometimes you’re asked to define a technical term or explain a technology. One approach both Puglisi and I recommend is to answer technical questions with analogies from your industry. We both worked in the construction industry, so, for example, we might help these executives understand Scrum in software development by comparing it to design-build and agile construction project methodologies.

They resort to scare tactics or security risks

We all know the saying “Never waste a crisis” as a tool to bring attention to the big investments no one wants to make.

Sometimes you need a spark to create a sense of urgency, but don’t take this approach too far. I once heard a CISO say, “If you can’t convince the board, then scare them,” which might get a CISO a yes to an investment, but lose credibility over time.  

CISOs who are natural presenters and storytellers can connect with the board using these skills, but only if given sufficient time to use this approach.

If presenting isn’t your best skill, or you only have a few minutes to present, storytelling may confuse directors, says Tony Pietrocola, president and co-founder of AgileBlue. “The problem with boards truly understanding if the enterprise is protected against cyber threats is they’re generally not technical, so the CIO or CISO might answer the question in a confusing narrative,” he says.

Jay Ferro, EVP and chief information, technology, and product officer at Clario, and Allata board member, shares examples of how not to answer the board’s questions about security risks. “Don’t say, ‘We’re trying our best and hope we’re protected,’” he says. “No one can guarantee total security, right? So, it’s hard to say if we’re safe from all threats. Also, don’t overstate your security readiness by saying, ‘Our security posture is robust, and the countermeasures we’ve implemented completely protect our organization from any and all threats.’”

So what should CISOs do to ensure the board understands the security risks without storytelling or using scare tactics?

Pietrocola recommends using security benchmarks to help directors understand the risks, saying, “Scoring algorithms can put a grade on the most critical facets of cybersecurity and the critical operations of the enterprise.” Ferro, meanwhile, recommends discussing the business impacts of high-risk areas and reviewing their remediation plans.

They answer vaguely or lack anticipation

CIOs and CISOs need to understand what information is important to share at the board level. Presenting too many slides is problematic because directors will lose interest. Summarizing with too few slides may leave out key details on the problem statement, growth opportunities, market trends, and other details that connect business and customer needs with technology strategy.

“The last thing we should be doing is present a technology strategy built in isolation at a board meeting, which is out of alignment with the business objectives or not meeting the board’s expectation,” says Tiwary.

Accoeding to Ferro, here are other examples of questions directors ask about digital transformation initiatives and what an awful response sounds like.

• A director asks about the timeline for an initiative that just kicked off, and the CIO answers, “Well, we’ve just started, so there’s not much to share. We’re still trying to figure it all out, so we don’t have any significant progress or insights yet.” CIOs should always answer the question first and then provide supporting detail. A good response is, “We don’t have a timeline yet, but we’re conducting customer research and running a proof of concept around the technology. We’ll have findings in 30 days and a draft timeline soon afterward.”
• Another director asks what IT is doing about generative AI, and the CIO answers, “AI and all these buzzwords sound exciting, but honestly, I’m not sure what difference they’ll make. They’re still pretty new, so we’re just taking a wait-and-see approach.” The problem with this answer is that boards expect CIOs to have a more substantive recommendation about emerging technologies and the business opportunities and risks, even if the executive committee isn’t prioritizing work around the technology.

The key for CIOs and CISOs is to be incredibly informed about the active initiatives, business opportunities, and emerging technologies impacting their business and industry. Even if a topic is not on the agenda, it’s fair game for a director to ask about it.

They throw colleagues under the bus

My last recommendation comes from a #CIOChat Live event, where I asked the panel on CIO and board relationships a provocative question. “If you’re not getting support from the CEO on a critical security or operational investment, should you raise this at the board meeting?” The panelists gave me a harsh stare and answered with a resounding “No.” 

You don’t want to air disagreements at the board meetings or surprise your colleagues by raising an issue that’s not on the agenda. It’s a career-limiting move.

Even the most seasoned CIOs and CISOs have limited board exposure, so presenting at meetings is always a learning experience. Learn best practices, consult with colleagues, and avoid easy mistakes.