See Your Rating
Request a Demo
menu
Security in the Board Room

What To Include In Your Cybersecurity Board Of Directors Presentation

Melissa Stevens | June 21, 2016

Most Boards today know that cybersecurity is a critical issue that simply cannot be overlooked — which means many Boards today receive regular briefings on the topic. If you’re a new CIO or CISO (or your organization has just begun this practice) it’s absolutely critical that you establish credibility when you present to your Board of Directors. If you’ve been asked to present and you’ve never briefed a Board of Directors on cybersecurity before, your questions are going to be far different than they would be if you had seven or eight presentations under your belt. So below, we’ve detailed some of the topics you should include in your cybersecurity Board of Directors presentations — for both first timers and seasoned presenters.

First-Time Cybersecurity Board Of Directors Presentation

If this is your first presentation to the Board, your goal should be to provide a very high-level overview. You’ll want to give a short background on cybersecurity, what it means, and why you (and your department) should be concerned. It’s extremely important to speak in a language that the Board can understand — which means cutting out any technical jargon. Instead, talk in terms of risk management, stock price, and bottom line.

Below are some of the topics you may want to cover in your first presentation:

  • A high-level overview of different threat actors.
  • How you generally approach cybersecurity: Who is in charge, how you work together, what the components are, etc.
  • Risks to your cybersecurity environment (i.e., the things you’re concerned about).
  • The type of data you think is most critical or sensitive.
  • The types of critical operations that could be impacted by a cyber incident.
  • Examples of cyber incidents that have occurred in other organizations in our sector.
  • Examples of other cyber incidents that have impacted organizations more broadly that you should be aware of.
  • How you think the Board members should be involved and where the Board comes into play.
  • What you anticipate presenting to the Board in the future.
  • The programs you have in place for cybersecurity from a strategy and technology approach.
  • How you train your employees on cybersecurity.
  • The cybersecurity policies you have in place today and those you’d still like to integrate.
  • How you use your systems and how you know what data to collect on.
  • Some of the key external threats, insider threats, and third-party risks you believe you face.

Related: Boards need more information about cybersecurity than ever before. Can you present it effectively?

Ongoing Cybersecurity Board Of Directors Presentations

Now that you’ve completed your first cybersecurity presentation to the Board of Directors, your goal should be to continuously educate the Board on critical issues. This means your focus for these presentations should shift, as the Board should be briefed on the effectiveness of the risk management tactics you’re employing. In other words, the Board should know where you are succeeding, how you are succeeding, and any areas that need strategic improvement.

Here are some topics you should focus on in your ongoing presentations to the Board:

  • Technology you’ve purchased and integrated—with a focus on what it is doing for the organization.
  • Technology you want to purchase and why you want to purchase it.
  • The accountability metrics you’ve created, categorized in the following two ways:
    • “Are we ISO-27001-compliant?”
    • “Do we have a vendor risk management program?”
    • “Do we have any outstanding high-risk findings open from our last audit or assessment?”
    • “What percentage of the NIST framework are we implementing?”
    • “How quickly can we remove employee network access?”
    • “How quickly can we (or our vendors) identify and respond to incidents?”
    • “What percentage of our users click on spear-phishing training emails?”
    • “How did we compare to our peers across certain time spans?”
    • Audit & Compliance Metrics
    • Operational Effectiveness Metrics

Knowing the right point to brief the Board on is critical — but there’s much more to an effective cybersecurity Board of Directors presentation. Download our ebook to learn how to take a risk-based approach to cybersecurity reporting.

New call-to-action

Suggested Posts

Security in the Board Room

CISO Salaries 2020: Does a Changing Role Demand a Change in Pay?

Brian Thomas | January 2, 2020

The role of the chief information security officer (CISO) is undergoing a tectonic shift. 

The first generation of CISOs were high-performing technical professionals promoted to senior leadership. They largely reported to CIOs, and had...

READ MORE »
Security in the Board Room

Most Urgent CISO Skills 2020: Reporting, Avoiding Burnout, More

Brian Thomas | December 26, 2019

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their...

READ MORE »
Security Ratings

The Board’s Role in Managing Disruptive Risk: Enter Security Ratings

Jake Olcott | April 12, 2019

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate...

READ MORE »

Subscribe to get security news and updates in your inbox.

© 2020 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers

Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469