See Your Rating
Free Attack Surface Report
menu
Reporting to the Board

What To Include In Your Cybersecurity Board Of Directors Presentation

Melissa Stevens | June 21, 2016

Most Boards today know that cybersecurity is a critical issue that simply cannot be overlooked — which means many Boards today receive regular briefings on the topic. If you’re a new CIO or CISO (or your organization has just begun this practice) it’s absolutely critical that you establish credibility when you present to your Board of Directors. If you’ve been asked to present and you’ve never briefed a Board of Directors on cybersecurity before, your questions are going to be far different than they would be if you had seven or eight presentations under your belt. So below, we’ve detailed some of the topics you should include in your cybersecurity Board of Directors presentations — for both first timers and seasoned presenters.

First-Time Cybersecurity Board Of Directors Presentation

If this is your first presentation to the Board, your goal should be to provide a very high-level overview. You’ll want to give a short background on cybersecurity, what it means, and why you (and your department) should be concerned. It’s extremely important to speak in a language that the Board can understand — which means cutting out any technical jargon. Instead, talk in terms of risk management, stock price, and bottom line.

Below are some of the topics you may want to cover in your first presentation:

  • A high-level overview of different threat actors.
  • How you generally approach cybersecurity: Who is in charge, how you work together, what the components are, etc.
  • Risks to your cybersecurity environment (i.e., the things you’re concerned about).
  • The type of data you think is most critical or sensitive.
  • The types of critical operations that could be impacted by a cyber incident.
  • Examples of cyber incidents that have occurred in other organizations in our sector.
  • Examples of other cyber incidents that have impacted organizations more broadly that you should be aware of.
  • How you think the Board members should be involved and where the Board comes into play.
  • What you anticipate presenting to the Board in the future.
  • The programs you have in place for cybersecurity from a strategy and technology approach.
  • How you train your employees on cybersecurity.
  • The cybersecurity policies you have in place today and those you’d still like to integrate.
  • How you use your systems and how you know what data to collect on.
  • Some of the key external threats, insider threats, and third-party risks you believe you face.

Related: Boards need more information about cybersecurity than ever before. Can you present it effectively?

Ongoing Cybersecurity Board Of Directors Presentations

Now that you’ve completed your first cybersecurity presentation to the Board of Directors, your goal should be to continuously educate the Board on critical issues. This means your focus for these presentations should shift, as the Board should be briefed on the effectiveness of the risk management tactics you’re employing. In other words, the Board should know where you are succeeding, how you are succeeding, and any areas that need strategic improvement.

Here are some topics you should focus on in your ongoing presentations to the Board:

  • Technology you’ve purchased and integrated—with a focus on what it is doing for the organization.
  • Technology you want to purchase and why you want to purchase it.
  • The accountability metrics you’ve created, categorized in the following two ways:
    • “Are we ISO-27001-compliant?”
    • “Do we have a vendor risk management program?”
    • “Do we have any outstanding high-risk findings open from our last audit or assessment?”
    • “What percentage of the NIST framework are we implementing?”
    • “How quickly can we remove employee network access?”
    • “How quickly can we (or our vendors) identify and respond to incidents?”
    • “What percentage of our users click on spear-phishing training emails?”
    • “How did we compare to our peers across certain time spans?”
    • Audit & Compliance Metrics
    • Operational Effectiveness Metrics

Knowing the right point to brief the Board on is critical — but there’s much more to an effective cybersecurity Board of Directors presentation. Download our ebook to learn how to take a risk-based approach to cybersecurity reporting.

New call-to-action

Suggested Posts

Cybersecurity

What Cybersecurity Questions the Board Really Wants Answered in Your Next Report

Brian Thomas | December 8, 2020

Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next...

READ MORE »
Reporting to the Board

Is Your Cyber Security Communication Strategy Effective?

Brian Thomas | September 21, 2020

One of the more challenging aspects of third party risk management is effectively communicating risk. Often the risks posed by vendors are highly technical, and it can be tempting to simply put together a slide or list to review with...

READ MORE »
Benchmarking

Cyber Security KPI and Information Security KPI Examples

Jake Olcott | February 13, 2019

While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...

READ MORE »

Subscribe to get security news and updates in your inbox.

© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers

Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469