Security in the Board Room

What To Include In Your Cybersecurity Board Of Directors Presentation

Melissa Stevens | June 21, 2016

Most Boards today know that cybersecurity is a critical issue that simply cannot be overlooked — which means many Boards today receive regular briefings on the topic. If you’re a new CIO or CISO (or your organization has just begun this practice) it’s absolutely critical that you establish credibility when you present to your Board of Directors. If you’ve been asked to present and you’ve never briefed a Board of Directors on cybersecurity before, your questions are going to be far different than they would be if you had seven or eight presentations under your belt. So below, we’ve detailed some of the topics you should include in your cybersecurity Board of Directors presentations — for both first timers and seasoned presenters.

First-Time Cybersecurity Board Of Directors Presentation

If this is your first presentation to the Board, your goal should be to provide a very high-level overview. You’ll want to give a short background on cybersecurity, what it means, and why you (and your department) should be concerned. It’s extremely important to speak in a language that the Board can understand — which means cutting out any technical jargon. Instead, talk in terms of risk management, stock price, and bottom line.

Below are some of the topics you may want to cover in your first presentation:

  • A high-level overview of different threat actors.
  • How you generally approach cybersecurity: Who is in charge, how you work together, what the components are, etc.
  • Risks to your cybersecurity environment (i.e., the things you’re concerned about).
  • The type of data you think is most critical or sensitive.
  • The types of critical operations that could be impacted by a cyber incident.
  • Examples of cyber incidents that have occurred in other organizations in our sector.
  • Examples of other cyber incidents that have impacted organizations more broadly that you should be aware of.
  • How you think the Board members should be involved and where the Board comes into play.
  • What you anticipate presenting to the Board in the future.
  • The programs you have in place for cybersecurity from a strategy and technology approach.
  • How you train your employees on cybersecurity.
  • The cybersecurity policies you have in place today and those you’d still like to integrate.
  • How you use your systems and how you know what data to collect on.
  • Some of the key external threats, insider threats, and third-party risks you believe you face.

Related: Boards need more information about cybersecurity than ever before. Can you present it effectively?

Ongoing Cybersecurity Board Of Directors Presentations

Now that you’ve completed your first cybersecurity presentation to the Board of Directors, your goal should be to continuously educate the Board on critical issues. This means your focus for these presentations should shift, as the Board should be briefed on the effectiveness of the risk management tactics you’re employing. In other words, the Board should know where you are succeeding, how you are succeeding, and any areas that need strategic improvement.

Here are some topics you should focus on in your ongoing presentations to the Board:

  • Technology you’ve purchased and integrated—with a focus on what it is doing for the organization.
  • Technology you want to purchase and why you want to purchase it.
  • The accountability metrics you’ve created, categorized in the following two ways:
    • “Are we ISO-27001-compliant?”
    • “Do we have a vendor risk management program?”
    • “Do we have any outstanding high-risk findings open from our last audit or assessment?”
    • “What percentage of the NIST framework are we implementing?”
    • “How quickly can we remove employee network access?”
    • “How quickly can we (or our vendors) identify and respond to incidents?”
    • “What percentage of our users click on spear-phishing training emails?”
    • “How did we compare to our peers across certain time spans?”
    • Audit & Compliance Metrics
    • Operational Effectiveness Metrics

Knowing the right point to brief the Board on is critical — but there’s much more to an effective cybersecurity Board of Directors presentation. Download our ebook to learn how to take a risk-based approach to cybersecurity reporting.

New call-to-action

Suggested Posts

The Board’s Role in Managing Disruptive Risk: Enter Security Ratings

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate...

READ MORE »

Cyber Risk Considerations During the M&A Process

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly...

READ MORE »

BitSight EXCHANGE Sound Bites: Reporting to the Board

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all...

READ MORE »

Subscribe to get security news and updates in your inbox.