board of directors cybersecurity presentation

Advanced Persistent Threats (APTs)
Cyber Attack
Data Breach
Insider Threat
Social Engineering
Supply Chain Attack
Vulnerability
DOWNLOAD REPORTS
REPORT OPPORTUNITIES
PUBLISH YOUR OWN REPORT
UPCOMING WEBINARS
ON-DEMAND WEBINARS
Marketing Kit

Exploring SASE and SSE Roadmaps with the Two Taylor Swifts of…

Hot topic customers targeted by credential stuffing attacks, meet the phishing service platform named darcula, threathunter.ai halts hundreds of attacks in the past 48 hours: combating….

Expert Insights & Resources
Expert Commentary
How-To Guide

CISO’s Guide to Presenting Cybersecurity to Board Directors

Seasoned CISOs/CSOs understand the importance of effectively communicating cyber risk and the need for investment in cybersecurity defense to the board of directors. To ensure cybersecurity becomes a strategic part of the corporate culture, it is crucial for CISOs to present the topic in a clear, concise, and compelling manner. In this article, I will share my advice on best practices that can help CISOs successfully raise awareness and secure the necessary support from their organization’s board.

One key aspect of successful communication is understanding the business objectives and risk appetite of the organization. It is essential to align cybersecurity initiatives with these objectives in order to demonstrate the value they can bring to the company. The board should be presented with data-driven evidence of cyber risks and potential consequences, along with an overview on the return on investment (ROI) in cybersecurity defense. This will help bridge the gap between technical and business perspectives, fostering an environment where cybersecurity is taken seriously and becomes a strategic priority.

Another crucial element is to focus on quantifiable metrics and avoid using vague or overly technical jargon. Board members are not necessarily experts in cybersecurity, so it is important to present information in a way that is easily digestible and resonates with them. Utilize real-world examples, case studies, and industry benchmarks to drive home the importance of investing in cybersecurity defense and creating a culture where everyone plays a role in protecting the organization from cyber threats.

Understanding the Board’s Perspective

As a CISO, it’s essential to comprehend the board’s viewpoint when presenting cybersecurity initiatives. Board members are typically focused on the company’s overall strategic direction, financial performance, and risk management. Thus, it’s critical to align your cybersecurity presentation with their priorities.

First, understand what concerns the board members the most. This could range from potential financial losses due to cyberattacks to reputational damage resulting from a breach. According to a Board of Directors Cyber Attitudes report, board members are particularly interested in quantifiable metrics and risk assessments that provide an accurate view of the company’s cybersecurity posture.

Ensure that your presentation demonstrates the return on investment (ROI) of your cybersecurity initiatives. Highlight the correlation between robust cybersecurity measures and attaining the company’s business objectives – whether it’s reducing downtime or enhancing customer trust.

Lastly, establish a dialogue with the board and be prepared to address their questions and concerns. Regular communication keeps the board informed about the cybersecurity landscape and fosters a deeper understanding of the risks and strategies involved, ultimately making cybersecurity a strategic part of the corporate culture.

Developing a Clear Cybersecurity Strategy

As a CISO/CSO, creating and presenting a clear cybersecurity strategy to the board of directors is crucial in fostering awareness of cyber risks and encouraging investment in cybersecurity defense. A comprehensive approach encompasses aligning with business objectives, identifying key cyber risks, and setting priorities for investment.

Aligning with Business Objectives

One of the essential aspects of a successful cybersecurity strategy is to ensure that it aligns with your organization’s overall business objectives. This connection helps the board of directors to understand the significance of cybersecurity in achieving the company’s goals. Begin by:

Mapping cybersecurity initiatives to specific business objectives, such as increasing revenue or improving customer trust.
Demonstrating how a strong cybersecurity posture supports and enhances the organization’s competitive advantage.
Communicating the potential financial and reputational impact of cybersecurity incidents and how the strategy is designed to mitigate those risks.

Identifying Key Cyber Risks

In presenting a cybersecurity strategy, it is crucial to identify the key cyber risks facing your organization. A thorough assessment of these risks will enable the board to understand the need for investment in cybersecurity. When identifying key cyber risks, consider:

Current and emerging threat landscape in your industry.
Vulnerability assessments highlighting areas where your organization’s defenses may be lacking.
Regulatory and compliance considerations, including potential fines and penalties for non-compliance or data breaches.
Assessing your organization’s cybersecurity maturity and identifying areas in need of improvement.

Setting Priorities for Investment

With a clear understanding of the business objectives and key cyber risks, the next step is to prioritize investment in cybersecurity initiatives. Highlighting the most significant risks and potential impact will help the board to allocate resources wisely. When setting priorities for investment, take into account the following:

Cost-benefit analysis of different cybersecurity initiatives, considering factors such as potential risk reduction and return on investment.
Urgency and scalability of identified risks, with a focus on addressing high-priority issues without delay while keeping future growth and evolving threats in mind.
Alignment with industry best practices and security benchmarks and compliance standards to demonstrate commitment to a strong cybersecurity posture.
Identifying appropriate metrics to track progress and success, allowing the board to monitor the effectiveness of cybersecurity investments.

By developing a clear cybersecurity strategy that aligns with business objectives, identifies key cyber risks, and sets priorities for investment, you will be in a better position to communicate the importance of cybersecurity to the board of directors and foster a cyber-aware corporate culture.

Effective Communication with the Board

Effective communication is a crucial aspect of delivering a successful cybersecurity presentation to the board of directors. By considering the following strategies, you can ensure that your message is both clear and impactful.

Using Clear and Concise Language

It is essential to avoid over-technical security language when speaking with the board. Instead, use layman terms and familiar analogies that board members can grasp quickly. This approach will help them understand complex security concepts and make informed decisions without being overwhelmed by technical jargon. Examples of simple language include:

Referring to “malware” as “malicious software” or “harmful programs”
Using “data breach” instead of “unauthorized access to sensitive information”

These adjustments will make your communication more accessible and enable board members to grasp the importance of cybersecurity risk management.

Visualizing Cybersecurity Data

Visual aids can support your message and enhance comprehension among board members when presenting cybersecurity data. Using charts, graphs, and other visual elements helps to highlight trends, patterns, and vulnerabilities within your company’s cybersecurity landscape. For example, you may consider using:

Pie charts to represent the proportion of various types of cyber threats faced by the organization
Line charts to indicate the growth or decline of security incidents over a specific period

These visualizations help board members to better understand complex data, making it easier for them to engage with your presentation and make well-informed decisions.

Connecting Cyber Risks to Business Impact

For a cybersecurity presentation to resonate with board members, it’s crucial to relate cyber risks directly to the organization’s business objectives and overall strategy. By showcasing the potential financial, operational, and reputational impacts of a cyber incident, you can drive home the significance of cybersecurity in sustaining long-term business success.

Some ways to relate cyber risks to business impact include:

Demonstrating the financial loss resulting from a data breach or ransomware attack
Highlighting how a cyber incident can affect client trust, leading to a loss of customers and market share
Stressing the importance of compliance with industry regulations and the potential consequences of non-compliance

By connecting the cybersecurity discussion to tangible business impacts, you’re more likely to garner support for investment in cybersecurity initiatives and promote a security-centric corporate culture.

Building a Cybersecurity Culture

Creating a strong cybersecurity culture within the organization is essential for managing cyber risk effectively. As a CISO, it is your responsibility to ensure that every employee understands the importance of cybersecurity and their role in maintaining the company’s security posture. Here are three key areas to focus on:

Promoting Employee Awareness

First and foremost, emphasize the importance of employee awareness through tailored security training and awareness programs. The human factor is involved in more than 85% of data breaches, as noted in the 2021 Verizon Data Breach Investigations Report . To build a successful cybersecurity culture, make security awareness training engaging and rewarding, and encourage a growth mindset. This can be achieved by gamifying training sessions, providing incentives for participation, and recognizing employees who demonstrate positive security behaviors.

Leadership Involvement

Strong leadership involvement is necessary for fostering a cybersecurity culture from the top down. Encourage the board of directors and the top management to champion cybersecurity initiatives, and communicate the importance of cybersecurity to the entire organization. As a CISO, leading by example is crucial in demonstrating the commitment to cybersecurity to employees.

Continuous Improvement

Establish a continuous improvement process for your cybersecurity program by regularly reviewing and updating policies, procedures, and technologies. Involve employees in the process by encouraging them to provide feedback and report security incidents without fear of retaliation. Benchmark your cybersecurity performance against industry standards and objective metrics to identify areas of improvement and track progress over time.

By focusing on these three key areas, you can build a strong cybersecurity culture within your organization, which will ultimately help you raise awareness of cyber risk, gain the willingness of the board of directors to invest in cybersecurity defense, and make cybersecurity a strategic part of the corporate culture.

Measuring Success

As a successful CISO, measuring the success of your cybersecurity program is crucial to ensure continuous improvement and demonstrating the value of cybersecurity initiatives to the board of directors.

Using Key Performance Indicators

Establishing Key Performance Indicators (KPIs) can help quantify the effectiveness of your cybersecurity program. KPIs should be aligned with the organization’s overall objectives and risk appetite. Some examples of KPIs that you can use to measure the success of your cybersecurity efforts include:

Number of security incidents detected and resolved within a given period
Reduction in the duration of time to detect and respond to incidents
Percentage of employees completing security awareness training
Number of vulnerabilities identified and remediated

These KPIs should be presented to the board of directors in a clear and easy-to-understand manner. This will help them grasp the significance of the data and make informed decisions regarding cybersecurity investments and strategic priorities.

Conducting Regular Reviews

Regular reviews of your cybersecurity program are essential to measure its effectiveness and identify areas for improvement. Schedule periodic meetings with the board of directors to discuss the progress of your cybersecurity program, share KPI data, and address any questions or concerns that may arise. During these meetings:

Provide an overview of the current cyber threat landscape, specifically highlighting threats relevant to your industry and organization
Discuss any recent security incidents and the actions taken to mitigate them
Share insights on emerging technologies and best practices in the cybersecurity industry that could benefit the organization
Seek feedback from board members to ensure their input is incorporated into the ongoing development and refinement of your cybersecurity program

By regularly reviewing your cybersecurity program with the board of directors, you can help keep cybersecurity at the forefront of their decision-making, foster a culture of cyber risk awareness, and drive the necessary investments to strengthen your organization’s security posture.

2024 Security Service Edge Report [HPE]

2024 VPN Risk Report [HPE]

2024 Insider Threat Report [Securonix]

2023 Content Security Report [Votiro]

Block title.

EDITOR PICKS

Windows server 2012 / 2012 r2 end of life – here’s..., popular posts, list of countries which are most vulnerable to cyber attacks, top 5 cloud security related data breaches, top 5 pci compliance mistakes and how to avoid them, recent posts, understanding and shrinking attack surfaces: a comprehensive guide for organizational leaders, exploring sase and sse roadmaps with the two taylor swifts of....

Terms of Service
Advertise With Us
Internships

CISO Board Presentations: 9 Key Slides You Need

The end of the quarter is fast approaching and it’s time to put together your slide deck for the board meeting. Before you begin creating bulleted slides for all the projects your team is working on, take a moment to zoom out. What do your board of directors and C-suite colleagues really want to know?

Most executive leaders have 3 main questions about cybersecurity :

Where are we?
Where do we want to be?
How will we get there?

Answering these questions succinctly is no easy feat, so using a concise and simple narrative to guide your presentation is important. Your goal with this presentation is to help the Board meet its fiduciary duties. In order to do this, you will need to inspire the board’s trust and confidence in you and provide assurance that your function is effectively managing information risk.

4 Key Sections In Your Board Presentations

There are 4 key parts to your board presentation:

1. Summarize the last meeting and refresh your Board about your cybersecurity framework

Summarize the takeaways from the previous Board presentation. Follow-up on unresolved issues or any unanswered questions from the previous meeting. Refresh the Board on your security framework.

2. Present your risk dashboard and review events and changes in risk landscape

Update the Board on the overall risk landscape for your organization, including and notable events. Highlight risks that require immediate action. Present mitigation strategies and explain how the Board can help.

3. Review progress against your strategic Infosec roadmap

Present Infosec’s progress towards your strategic objectives that you presented earlier to the Board. Be Transparent about any setbacks and say how you are managing through these.

4. Review any special topic

Discuss any topics that fall outside the scope of the other agenda topics. For example, relevant topics include M&A activity, a data breach, etc.

You can download a powerpoint template that will help you organize your presentation to the board of directors. If you are a new CISO and presenting to your board for the first time, you should use a variation of this template which can be downloaded here .

“Automating” your board-level presentations

Sorry, can’t be done.

But we can help automate many of the KPIs you would like to report on. Balbix uses specialized AI to identify and prioritize your unseen vulnerabilities across 100+ attack vectors and help you mitigate these risk items. Balbix calculates risk, likelihood, and impact scores for every area of your business and provides intuitive visualizations for your presentations to the board and C-suite colleagues. You can get risk trends and to understand how you’re progressing on cyber risk and determine a clear action plan for improving your cybersecurity posture. With Balbix, the board presentation that would’ve taken weeks to complete can be completed in minutes.

Request a demo to learn more.

Boards and cybersecurity

The board agenda has been crowded since the start of the pandemic, and many issues have acquired new urgency. In this episode of the Inside the Strategy Room podcast, Frithjof Lund, the leader of our board services work, speaks with two cybersecurity experts about how boards of directors should help their organizations ensure they are prepared for potential cyberattacks. John Noble is the former director of the United Kingdom’s National Cyber Security Centre and a board member of NHS Digital, the national information and technology partner to the country’s National Health Service. Wolf Richter is a McKinsey partner who helps chief information officers (CIOs) capture the benefits and mitigate the risks of tech-enabled transformations. You can listen to the episode on Apple Podcasts , Spotify , or Google Podcasts .

Frithjof Lund: Cybersecurity has been on the board agenda for some time. In our latest global board survey, participants rated it among their top four priorities. However, when we ask board members about their key challenges today, only one in five mentions cybersecurity. Have you seen a shift in how companies are approaching this issue?

Wolf Richter: It used to be mainly the regulated industries—particularly banks and insurance companies, as well as utilities and public-sector entities on critical national infrastructure—that prioritized cybersecurity. After the WannaCry ransomware attack a couple of years ago, however, many others realized that even without being on the high-target list, they could fall victim to a cyberattack. Retailers and manufacturing companies in particular have become a lot more aware of the vulnerabilities that digitization brings to their operations. Now that working from home has become the norm, and given the massive increase in ransomware attacks that we are seeing, most companies realize how vulnerable they are in an environment where most of their business and employee interactions are conducted through online channels.

Frithjof Lund: You mentioned an increase in cyberattacks. What is driving it?

John Noble: There are two things. One is the change in the business model among the people carrying out these attacks. Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups. Those criminal groups can, in effect, lease the ransomware in exchange for a percentage of the profits and employ it against victims. That has enabled a massive increase in both the volume of attacks and their sophistication. Ransomware can not only affect the availability of your systems but also result in the release of sensitive data.

Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups. John Noble

Frithjof Lund: Are companies sufficiently prepared to handle this rising threat?

Wolf Richter: It’s a mixed bag. It is becoming apparent who has been thinking about cybersecurity systematically and who has just recently woken up and is starting to improvise. On the one hand, we have seen a massive acceleration in digitization as companies have moved their operations to the cloud and granted remote access to employees. Needless to say, very few had the time to think through the cybersecurity implications. On the other hand, those who have spent the past couple of years preparing—identifying their critical assets and processes, testing the procedures with employees, putting in place emergency plans and fallback scenarios—are seeing those investments pay off.

Frithjof Lund: What approach should boards take to this topic, especially those whose companies are less prepared?

Wolf Richter: The board of directors and the executive leadership need to engage in a critical conversation. The board’s responsibility is to make sure that the executive team has a plan, is prepared, and is preparing the whole organization for the eventuality of an attack. The question is not whether the attack is going to happen and how to prevent it. The real questions are, when will it come? Is the organization prepared to detect it? Is it prepared to stop it? Can it mitigate the effects and get back to normal operations as quickly as possible?

John Noble: Cybersecurity is an issue for the whole organization. Whether it is in advance of or during an incident, you should not just leave it to the chief information officer and the technical team. Leaders need to decide how to manage the tensions between usability, security, and cost, and that is very much where we need the board challenging and testing processes.

Our collection of McKinsey insights to help CEOs and directors improve board effectiveness.

Frithjof Lund: What should a board do when an incident happens? John, you have seen that up close in many situations.

John Noble: Going back to preparedness, there is a big difference between how an organization reacts if it has exercised its processes around dealing with an attack in advance and one that has not. Communication is essential. There needs to be a single version of the truth, so everybody both within and beyond the organization understands how the incident is being handled. The board has a crucial role there in supporting the executive team. As I saw during the 800-odd incidents while I was at National Cyber Security Centre, the executive teams are under tremendous pressure and they need the board’s support and guidance.

The WannaCry incident in May 2017 had a very big impact on the UK National Health Service, where I am now a nonexecutive director on the NHS Digital board. The important thing at the board level was communicating with the vast number of stakeholders across the healthcare system. I can’t say that the NHS got everything right, but it certainly learned a tremendous number of lessons. This meant that going into the pandemic, the board was much more prepared, understanding the vulnerabilities we are carrying and asking the right questions around how those are being mitigated.

Frithjof Lund: Any caveats you would highlight for boards or management teams?

John Noble: Generally, the incident response will go badly if it is just left to the CIO and the technical team. They have a critical role in resolving the incident, but the consequences go beyond the immediate damage. There will be reputational, legal, and operational issues. You need the whole senior-management team to come together.

Wolf Richter: A cyberattack tends to elevate and exacerbate tensions that already exist within an organization. I have seen things go particularly poorly in decentralized organizations with no central leadership team or where it was unclear who would lead during a crisis. When people are not used to working together, establishing trust during a crisis is extremely difficult. Finger-pointing starts, and people fight each other instead of the enemy attacking them from outside.

Frithjof Lund: How do you build cybersecurity capabilities within the organization? What are the key areas boards should focus on?

Wolf Richter: First and foremost is awareness among the whole leadership team. We often see a concerned board member and the CIO but a vast amount of ignorance in between. There should be a shared sense of urgency about this issue within the executive team and the level below. It’s about the awareness that this is not something that affects others but is an existential threat to the organization in the digital world.

The second step is to develop the concepts and tools. This is the hard, unglamorous work that has nothing to do with the folks in black hoodies building some new cybersecurity incubator. It’s about checking, which are the critical assets and processes? Are there procedures in place in case of an attack? It is important during this phase to balance the controls and red tape you put in place so it does not stifle internal innovation, which can give cybersecurity efforts a poor reputation. That’s why these initiatives should be led by people with a business mindset, not just a control or technology mindset.

That leads to the third part, which is building capabilities. This affects the whole company—the process architects and marketing and salespeople when they negotiate with customers, who more and more are asking about security features, especially in engineering and high-tech industries. All these folks need to know whom to turn to for information. When cybersecurity becomes a joint capability, the whole organization becomes more cyber resilient.

Subscribe to the Inside the Strategy Room podcast

John Noble: I would add that with ransomware, one of the big risks is around legacy equipment, which almost every organization has. It represents a vulnerability that attackers are exploiting. We have to treat legacy equipment as untrustworthy and put in place controls to manage it. But only some of those controls are technical, and the business and IT teams need to engage to see whether some of the risk can be managed in other ways. Is that equipment needed? Can it be segmented? Maybe the answer is to migrate to the cloud, which will have investment implications.

Frithjof Lund: If I am a board director concerned about cybersecurity, how do I best understand how well my organization is prepared?

Wolf Richter: There are a couple of ways to measure this. Ideally, an organization would measure the business value at risk from a given incident. However, most companies lack the transparency or a reliable model to translate and collate the business impact of an incident. Many companies turn to what is called a maturity-based approach, using outside benchmarks to assess their controls’ relative level of maturity. While that is better than not managing cybersecurity at all, sometimes it leads to the wrong incentive to simply invest in more controls.

If I was a board member, I would ask which assets or parts of the organization the cybersecurity team and the leadership team focus their attention on. Have they identified employee groups that are particularly vulnerable, such as field service agents or customer service representatives? Do they know how many people have privileged user rights? We live in an environment of scarce resources, and the executive team needs to balance the investments in cybersecurity with investments in all other parts of the business. The more specific they are in targeting initiatives toward specific systems, infrastructures, processes, and people, the better I would feel as a director.

John Noble: I think that’s so important. We cannot just rely on KPIs such as the percentage of service that has been updated. You need to have that engagement. Another way the board can get further assurance is through a third-party challenge, such as penetration testing of critical assets. When was the last penetration test carried out? What did it reveal? What recommendations have been taken forward? But before you do that, you have to identify what is critical and needs to be protected.

Frithjof Lund: Are there cybersecurity investments you see companies making that are poor uses of resources?

John Noble: The cybersecurity market is still immature, and many people are trying to sell boxes that promise to “fix” all your cybersecurity problems. There is no single solution for cybersecurity. It needs to encompass a range of measures, and the most effective measures tackle the basics that make companies vulnerable around security updates, authentication, and how you access and configure the systems.

Wolf Richter: I often see companies doing one-time capital investments but shying away from operating investments in the people. We evaluated one insurance carrier that had a beautiful security operating center, all the licenses and sensors in place, but they lacked the staff to make it run 24/7. You need to have somebody processing the information, but they had one guy who was tasked part-time with translating and sharing the data with the rest of the organization. Of course, it didn’t happen. Companies are overinvesting in some parts but not thinking about how to bring those investments into the day-to-day decision making.

John Noble: To build on that, I saw a case study presented recently by one of the leading companies in this area, around how their detection system that uses artificial intelligence had flagged a system compromise. It turned out that there was nobody to interpret this data, so despite all that investment in a very expensive and sophisticated detection system, nobody took action to prevent damage.

Board governance

A collection of insights for corporate boards, CEOs, and executives to help improve board effectiveness including: board composition and diversity, board processes, board strategy, talent and risk management, sustainability, and purpose.

Frithjof Lund: What about the capabilities within the board itself? Where are the main gaps?

John Noble: I think it’s essential that somebody on the board has cybersecurity expertise to provide a challenge for the CIO and the chief security officer [CSO]. They can also help with building up the overall board’s knowledge, because leaving cybersecurity to one person is absolutely not the answer. You need the whole of the board to engage, to bring their experience of other areas to provide the right challenge in this space.

Wolf Richter: We need to demystify cybersecurity. The typical reaction of a board that has low cybersecurity skills is, “Ooh, that is not a topic for us. Let’s call the CSO or the CIO and they can explain what is happening.” But cybersecurity is not rocket science. It is somebody tinkering with your processes, systems, assets, and data. This realization usually comes easier if a board member says, “It is our job to make sure the organization is prepared. We don’t have one guru or wizard who will fix all our problems.”

John Noble: I very much recognize that description. The organizations that are not cyberliterate want to leave it to the CIO and the CSO. But those executives want to share some of the risks and to expose the critical issues to the board, not least because these issues often require investment and difficult trade-offs between cost, usability, and security.

Frithjof Lund: John, you mentioned that even having one cyberliterate board director could help build the capabilities of the entire board. Can you elaborate?

John Noble: I have seen companies organize exercises that serve as both teaching opportunities and opportunities to highlight the risks the organization faces: giving the board a briefing on the threat and then looking at how best-in-class companies address it.

Wolf Richter: We insert cyberexercises into Silicon Valley trips we do with boards. The directors visit high-tech companies and then we show them the dark side of digitization, demonstrating what can happen if you don’t pay attention to the risks that come with the opportunities that technology provides. Getting their attention when they are doing something special outside their normal duties has proven tremendously effective in making it memorable.

Frithjof Lund: Wolf, you mentioned at the start an acceleration of attacks. What will be the big cybersecurity threats in the coming years?

Wolf Richter: We see a massive professionalization as more organized crime discovers cyberattacks as a profitable activity. You need to expect attackers to be equipped with almost military-grade weapons. The large military organizations have invested heavily in building those cybertechnologies, and we have seen more than one event where one of these military-grade attacks had leaked out onto the dark net. It’s like placing machine guns in the hands of burglars around the corner.

You need to expect attackers to be equipped with almost military-grade weapons. It’s like placing machine guns in the hands of burglars. Wolf Richter

The big difference is that these digital machine guns are tremendously hard to control and extremely easy to replicate. This is simply code—coding tools that you can copy and share with others. On the other hand, the goal of many attacks we are seeing, particularly involving ransomware, is to make money, so at some stage there is a negotiation over the ransom. That combines cybercrime with good old-fashioned crime that police and private investigators have experience with.

Much is happening on the technology side as well. The shift to the cloud poses a whole new set of risks. While, by and large, the infrastructures of the large-scale cloud providers are much more secure than what most companies can impement in their own data centers, it is naive to believe that the cloud service provider will take care of all your security needs. On the contrary: we are seeing a massive increase in breaches of cloud-hosted applications for lack of proper configuration. Your IT department needs to acquire a new set of engineering skills to manage cloud environments.

John Noble: The cloud, as you say, Wolf, is a great opportunity, in particular to move off legacy infrastructure, but issues such as authentication remain your company’s responsibility. It’s very important that the board understands that however secure cloud service providers may be, the company still holds a great deal of the risk. And, sadly, we see some very large-scale breaches as a result of people simply not understanding how the cloud works.

Frithjof Lund: Do you have any advice for board directors on how they can stay on top of the battle against cyberattackers?

Wolf Richter: Any digitization program should have a cybersecurity budget. Companies need to drive digitization in a secure manner. Haphazard digitization just creates legacy infrastructure of the future, so you need to use best practices now in terms of secure coding, secure agile, secure DevOps. Companies need to make sure there is a security mindset across the whole life cycle.

John Noble: I don’t think it is inevitable that companies will be compromised. There are opportunities to get this right and they are around recognizing the genuine threat. We are building national economies on something that is inherently unsafe—the internet—and we have to mitigate that by taking a series of measures. The board has to ensure that executive leaders are looking at both the worst-case and best-case scenarios and are prepared to make some compromises to ensure a secure infrastructure.

Explore a career with us

Boards in the time of coronavirus

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

What Your Board Does (& Doesn't) Need To Know About Cybersecurity

Executive Reporting

Special thanks to Venky Ganesan, the managing director of Menlo Ventures, for his insights into this topic.

Your board doesn’t need….

A tremendous level of technical detail on your cybersecurity program. For instance, the type of security architecture you’re using isn’t of the utmost importance during a board presentation.
Multiple individuals in charge of reporting cybersecurity. Instead, appoint one person to consistently report to the board.
Overstated cybersecurity risk. Consistently exaggerating the level of risk your organization is facing won’t help you in the long run.

Boards need more information about cybersecurity than ever before—and this ebook can help you present it effectively.

Whether you’re a CISO or someone else who is tasked with reporting cybersecurity to the board, how do you determine exactly what they need to know? The four things below will get you started.

4 Things To Emphasize In Your Cybersecurity Presentation To The Board Of Directors

1. cybersecurity is like any other risk situation..

Your board must understand that cybersecurity risk should be treated like any other kind of organizational risk: operational, financial, legal, etc. Boards are less likely to feel comfortable with the subject matter as opposed to, say, financial risk, but cybersecurity requires the same level of emphasis.

2. Cybersecurity is about risk mitigation, not risk removal.

Now that your board knows they’re taking on a risk situation, they need to know your proposed strategies to mitigate that risk. Note the use of the word mitigation, not removal . As Venky Ganesan, managing director of Menlo Ventures, puts it, “You can’t avoid hurricanes. But you can know a hurricane is going to happen and have a clear idea of what to do when it hits.”

3. Your proposed risk mitigation strategy.

While your board doesn’t need to know technical details, it does need conceptual understanding of the overall mitigation strategy. For example:

Who gets notified in the event of a breach?
How does an event get escalated?
What insurance policy do we have in place?
How will our continuous monitoring platform help us?
What remediation techniques are in place post-breach?

4. What other organizations have gone through with regard to cybersecurity.

To help board members truly appreciate the criticality of cybersecurity, highlight the experience of other companies. “Cybersecurity can be a very abstract concept,” explains Ganesan. “What is not abstract is knowing what has happened to other companies in case of a breach, and the consequences of that breach.” Consider the 2013 Target breach , in which many of Target’s board members were sued and an oversight committee recommended replacing the board.

Additionally, you may want to highlight any regulatory pressures in your business or industry relating to cybersecurity and how to address those appropriately.

Hit all the high notes in your next cybersecurity board report.

It’s one thing to keep these four elements in mind regarding cybersecurity risk and the board of directors—but it’s another to make sure that presentation is compelling. Are you prepared? You will be in no time with this guide.

It will help you nail down your presentation goals and style, and determine which metrics your board will care about the most; it also offers a number of helpful presentation tips. Download the guide for free below!

Get the Weekly Cybersecurity Newsletter

The New Equation

Executive leadership hub - What’s important to the C-suite?

Tech Effect

Shared success benefits

Loading Results

No Match Found

A board’s guide to the NIST Cybersecurity Framework for better risk oversight

Many directors are concerned about their effectiveness in overseeing cybersecurity. We believe the NIST Cybersecurity Framework can be a particularly useful tool for boards. The framework provides guidance on how directors can engage with company leadership around this critical issue. And, directors don't need to read the framework cover to cover. Instead, you can get started with our primer. Read 5 activities that define a holistic approach to a company's cyber risk management.

Download A board’s guide to the NIST Cybersecurity Framework for better risk oversight

{{filtercontent.facetedtitle}}.

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Thank you for your interest in PwC

We have received your information. Should you need to refer back to this submission in the future, please use reference number "refID" .

Required fields are marked with an asterisk( * )

Please correct the errors and send your information again.

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Data Privacy Framework
Cookie info
Terms and conditions
Site provider
Your Privacy Choices

Security operations

CISO series: Talking cybersecurity with the board of directors

By Microsoft Secure Blog Staff
Cybersecurity policy
Microsoft Security Insights

In today’s threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a board’s confidence, you can’t wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and often—with the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Today’s boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series , where he shared several of his learnings on building a relationship with the board of directors. We’ve distilled them down to the following three best practices:

Use the board’s time effectively.
Keep the board educated on the state of cybersecurity.
Speak to the board’s top concerns.

Use the board’s time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many won’t. When it’s time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

Be concise.
Avoid technical jargon.
Provide regular updates.

This doesn’t mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the board’s top concerns

As you develop your content, keep in mind that the best way to get the board’s attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

How well is the company managing their risk posture?
What is the governance structure?
How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

Technical debt —An ongoing analysis of legacy systems and technologies and their security vulnerabilities.
Governance —An accounting of how security practices and tools measure up against the security model the company is benchmarked against.
Accrued liability —A strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyone’s Business , to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board .

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit the CISO series page.

CISO (chief information security officer) presents to the board of executives on security topics in a conference room setting.

Analyst reports

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Microsoft is proud to be recognized as a Leader in The Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report.

Graphic illustrating Microsoft Incident Response.

Best practices
Incident response
Microsoft Incident Response

Patch me if you can: Cyberattack Series

The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.

Man in sweater inside a secure room who is looking at data and a geographic area displayed on a large monitor which is behind glass walls with reflections.

AI and machine learning
Microsoft Intune

Why endpoint management is key to securing an AI-powered future

With the coming wave of AI, this is precisely the time for organizations to prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible and make your organization more secure and productive for years to come.

Graphic depicting phishing risks and other cybersecurity threats.

Email security

Cyber Signals: Shifting tactics fuel surge in business email compromise

Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.

Submission Guidelines
Submit Your Article
ISA Interchange Blog

Building a Resilient World: The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

-Connectivity & Cybersecurity
board of directors
presentation

Presenting IT and OT Cybersecurity Strategy to Executives/Board of Directors

-Connectivity & Cybersecurity (159)
-Continuous & Batch Processing (391)
-Discrete Manufacturing & Machine Control (200)
-Operations & Management (326)
-Smart Manufacturing/Industry 4.0 (328)

Enter your email

This blog post will be in continuation to the ninth edition of the Securing Things newsletter - Digital Transformation & Cybersecurity Premier (an introduction) and 11th edition - IT & OT/ICS Cybersecurity Strategy that talks about drafting an integrated IT and OT/ICS Cybersecurity strategy or independent ones. In case you've missed them —I highly recommend reading them first before reading this edition of newsletter.

Let's get started. Are you ready?

Now that you've laid out high level steps of #digitaltransformation and #cybersecurity #strategy journey and then have finished drafting/developing the #cybersecurity strategy (phase 1 in strategy lifecycle), the next step is preparing and presenting the cybersecurity strategy to business executives and or to the board of directors to get their buy-in and approval for funding, executive commitment and resources required to executive the strategy (which is phase 2 in the strategy cycle).

This is probably one of the most daunting and difficult tasks for many, especially for people with technical skills and no management background or business skills, and many struggle to get the message across and don't get the right level of support or funding from business leaders/executives. One would need to remove their technical hats and put on their business hats, to simplify the messaging around cyber risks equation, focus on risks and consequences that their organization is potentially exposed to.

On daily basis, the business executives and board of directors are ensuring that they are taking the right decisions to move the business forward by managing varying types of risks (financial, reputational, legal, environmental, ESG, operational, etc.) that their business operations need addressing, so that their investments decisions are prioritized.

Before the Presentation

Research the executive audience you'll be presenting to and do some research on the executive attendees (what they like to discuss/interests, persona types etc.). If you personally know them you may have an advantage (but in some cases, it's very likely that you don't interact them on daily basis), if not closely, do ask people around that have given presentations and take into account their feedback on what works and what may not work.

Presentation (Content Preparation-to-Delivery)

The storyline.

Make it sound like you are taking them on a short, precise, quick journey where you are projecting the current state of affairs, what's your recommended target state looks like and what would it take the business to achieve the target state - i.e. a managed risk state.

Presentation Content

Below highlights an example Agenda:

Agenda/Presentation Title - choose a catchy agenda title that could draw attention (that something important is coming) - and may resonate with business vision and or business priority goals. e.g.:

Global Cybersecurity Strategy (2023-2026) or
IT and OT/ICS Cybersecurity Strategy & Program Roadmap - A structured risk reduction approach.

Note: choose your own environment and best scenario specific titles.

Brand name/products/services could be replaced by your specific business elements e.g. X food & X beverages brand or product names / services — anything that's business specific.
depending upon the executive leadership style, some would prefer the asks i.e. item 4 in above picture to be put in front earlier in the presentation, before you talk about 2 and 3. Therefore, adjust accordingly).

Ensure you understand the current business climate and situation and if it's the right time to ask in the first place. Budget submission period is perfect, but you need to spread the awareness among peers and other parts of business well in advance to get a buy-in in time for the budget.

Be as specific and precise as possible on the asks from the executives (e.g., resource requirements, staff involvement, approvals and funding etc.).

Taking Inspiration from Different Experts from the Field

It's great to learn from experts that share some wonderful techniques on how they are moving ahead with their plans, what hurdles they face and how they've overcome them including ideas on what to present and what not to cover.

Below is a list of few great video presentations for reference:

A case study master class on Reporting Cyber Risk to the Board by Omar Khwaja - YouTube (by Omar Khawaja )
A Practical Approach to Presenting to the Board of Directors for CIOs #GartnerSYM - (by Tina Nunno )
How to Present Cyber Security Risk to Senior Leadership | SANS Webcast - YouTube (by James Tarala )
Briefing the Board: Lessons Learned from CISOs and Directors - YouTube (by Alan Paller , John P. )
Risk Management & Executive Communication with Patrick Miller (by Patrick C Miller )
Cybersecurity Leadership - YouTube (112 videos by #sansinstitute #cybersecurityleadership series - play list) (many presenters to thank for).

Presentation Delivery:

You'll likely only have 30 mins to an hour (if you are lucky) to get your message across and get your messaging stick with executives. Prepare. Do some dry runs with colleagues/team. Modify and adjust.

Be ready to request for another time and or shorten your presentation as its far too often that something urgent will come at last minute. Let's say you should have 15 mins of speech in mind in case the original timeslots shorten up.

Tips: Checkout the above example videos to get insightful tips and approaches.

Executives and board care about (or tasked to do so) the following few things:

risks (regulatory, security, brand/reputation, financial, innovation or lack thereof),
revenue / mission and
costs (do more with less)
customers and shareholders.

A secure, standardized and resilient business operations helps drive all these things towards positive direction and the presentation should touch upon the above points to emphasis benefits across these points.

Good luck for your next IT and OT (or one of them) Cybersecurity Strategy and Roadmap presentation internally or to your clients/customers.

In case it's time for presenting your 1st IT & OT Cybersecurity Strategy or time for an update/re-write - feel free to reach out to me via DM or get in touch at info[@]securingthings[dot]com for any business needs, project support, discussions and or simply information sharing.

Follow @securingthings. It’s a great day to start “Securing Things”.

Muhammad Yousuf Faisal

Topics: -Connectivity & Cybersecurity , board of directors , presentation

Subscribe and Get The Latest News

Related posts, how to secure machine learning data, fortifying your security arsenal: a strategic approach to safeguarding ot security assets from adversarial threats, why collaboration is essential for cybersecurity teams.

The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.

The material and information contained on this website is for general information purposes only. isa blog posts may be authored by isa staff and guest authors from the automation community. views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of isa. posts made by guest authors have been subject to peer review., we're on social media. keep in touch, © 2024 international society of automation. all rights reserved..

Network Security
Endpoint Security
Database Security
Security Management
Application Security
Content & Data Security
Threat Assessment & Recovery Services
Cyber Security Assessment Services
Managed Detection & Response Services
Cyber Security Consultancy Services
Cyber Essentials Certification
Information Assurance

CISO’s Guide to Presenting Cybersecurity to Board Directors

Cyber News , Hacks , News
March 24, 2024 March 24, 2024

Effective Communication with the Board

Successfully delivering a cybersecurity presentation to the board of directors relies heavily on effective communication. To ensure a powerful and easily understood message, it is important to utilize the following techniques: utilizing straightforward and brief language, presenting cybersecurity information in a visual manner, and connecting cyber threats to their impact on the business.

Using Clear and Concise Language

When speaking with the board, avoid over-technical security language. Instead, use layman terms and familiar analogies that board members can quickly comprehend. Examples of simple language include referring to “malware” as “malicious software” or “harmful programs” and using “data breach” instead of “unauthorized access to sensitive information”. These adjustments will make your communication more accessible and enable board members to grasp the importance of cybersecurity risk management.

Visualizing Cybersecurity Data

Charts, graphs, and other visual elements can help to highlight trends, patterns, and vulnerabilities within your company’s cybersecurity landscape. For example, pie charts can represent the proportion of various types of cyber threats and line charts can indicate the growth or decline of security incidents. These visualizations help board members to better understand complex data, making it easier for them to engage with your presentation and make well-informed decisions.

Connecting Cyber Risks to Business Impact

To make a lasting impact on board members, it’s important to relate cyber risks directly to the organization’s business objectives and overall strategy. Showcase the potential financial, operational, and reputational impacts of a cyber incident to emphasize the significance of cybersecurity in sustaining long-term business success. Demonstrate the financial loss resulting from a data breach or ransomware attack, highlight how a cyber incident can affect client trust, and stress the importance of compliance with industry regulations and the potential consequences of non-compliance.

Use clear and concise language when speaking with the board
Visualize complex cybersecurity data using charts and graphs
Connect cyber risks to business impact to emphasize the importance of cybersecurity

By considering these strategies when presenting to the board, you can ensure that your message is both clear and impactful.

OpenAI’s ‘upload file’ feature raises security concerns.
US State Dept. offers $10m reward for ALPHV/Blackcat ransomware leads.
Whale phishing targets high-profile individuals, spear phishing targets specific individuals.
SEC tweets: Security lapses caused account hack, we acknowledge responsibility.
Insecurity: Software bloat’s vulnerability.
1. “Major Retailer’s Data Breach Exposes Millions to Cybercriminals” 2. “Government Agency Targeted in Sophisticated Cyber Attack” 3. “Hospitals Paralyzed by Ransomware Attack; Patient Lives at Risk” 4. “Global Cyber Attack Shuts Down Critical Infrastructure Systems” 5. “Cyber Attack on Banking Sector Causes Billions in Financial Losses” 6. “Social Media Platform Suffers Massive Data Breach; User Privacy Compromised” 7. “Election Systems Hacked in Alleged Cyber Interference Attempt” 8. “Cyber Attack on Energy Grid Raises Concerns of Widespread Blackouts” 9. “Cyber Criminals Hijack Cryptocurrency Exchange, Millions in Assets Stolen” 10. “Online Retail Giant Falls Victim to Massive Cyber Fraud Scheme”
Sophos attains ISO 27001:2022 certification in a first-time accomplishment.
Schneier’s Future Talks

Cybersecurity Governance for the Board of Directors

Wooden pieces representing people, standing in a circle around a wooden lock that’s in the center. image number null

Management and Leadership

Certificate Credits

- Organizations & Leadership

Participants

Course Highlights

Delivered in our live online format, enabling real-time interaction with faculty and global peers
Provides board members, the C-suite, and other senior executives with essential knowledge and perspectives for cybersecurity strategy, leadership, and management
Explains the varying cybersecurity frameworks and regulatory requirements (“best practices”) for managing cybersecurity-related risk separate from the specialized IT infrastructure typically associated with this topic
Confers a certificate of course completion from the MIT Sloan School of Management

Why attend Cybersecurity Governance for the Board of Directors ?

Organizations of every size and in every industry are vulnerable to cybersecurity risks—a dynamic landscape of threats and vulnerabilities and a corresponding overload of possible mitigating controls. Businesses that want to get ahead of this risk understand the value of having deep cybersecurity competencies on their board. To ensure boardroom skills reflect the patterns of the marketplace, companies such as FedEx, Hasbro, PNC, and UPS have transformed their approach to governing cyber risk, starting with board cyber expertise.

However, board members face a significant challenge in fulfilling their fiduciary responsibilities in the oversite of cybersecurity and data privacy risk. Being a knowledgeable board member does not mean becoming a cybersecurity expert, but it does mean understanding basic concepts, risks, frameworks, and approaches. And it means having the ability to assess whether management appropriately comprehends related threats, has an appropriate cyber strategy, and can measure its effectiveness. Board members today require focused training on these critical areas to carry out their mission.

Course Experience

Created, designed, and developed by experts in cybersecurity, data privacy, and corporate policy and governance from the MIT Sloan School of Management, Cybersecurity Governance for the Board of Directors provides a holistic, enterprise approach to cybersecurity and data privacy. Course faculty are colleagues at Cybersecurity at MIT Sloan (CAMS) research consortium, the only research group in the world that focuses entirely on the managerial side of cybersecurity. Topics covered include governance, protection and response, law and regulations, security strategy and culture.

The goal of this course is to assist board members, C-suite leaders, and other senior executives in quickly gathering essential language and perspectives for cybersecurity strategy and risk management to better carry out their oversight and leadership responsibilities.

Learn more about the live online experience .

Please note, if you have already completed Cybersecurity Leadership for Non-Technical Executives , there is some overlap in course materials used, though the content is framed differently for the purposes of this audience.

Applying to the course

We accept enrollments until the offering reaches capacity, at which point we will maintain a waitlist. Many of the courses fill up several weeks in advance, so we advise that you enroll as early as possible to secure your seat.

You can begin the application process by using the red 'Enroll Now' bar at the bottom of the screen.

Have questions?

Contact us if you would like to speak with a program director or visit our Frequently Asked Questions page for answers to common questions about our courses.

Participants will leave this course with an understanding of

The role of the board as it relates to cybersecurity and breach planning, response, and management
The importance of building a corporate culture of cybersecurity
Cybersecurity's role in data protection and privacy concerns
The primary cybersecurity regulations and how they impact companies across different industries
Evolving cyber vulnerabilities such as human engineering and supply chain cyber risks

Sample Schedule—Subject to Change

Cybersecurity risk is relevant to every organization of every size. This course is designed specifically for board members and senior leaders of companies who understand the importance of upskilling the boardroom to reflect the patterns of the marketplace and serve the needs of their organization in a time of escalating cybercrime. We highly recommend sending multiple individuals from your organization and board so that the individuals can develop a shared language and understanding of the digital concepts.

Request Course Information

Receive email updates related to this course, including faculty news and additional offering dates.

Review our Privacy Policy.

Enroll Now!

Why data breaches spiked in 2023, cybersecurity resiliency is more than protection, a tool to help boards measure cyber resilience, 4 areas of cyber risk that boards need to address, boards are having the wrong conversations about cybersecurity, cyber thieves are getting more creative, could electric vehicles be hacked, an action plan for cyber resilience, is your board prepared for new cybersecurity regulations, how to align cyber risk management with business needs, new cybersecurity regulations are coming. here’s how to prepare., cybersecurity at all levels: build the right culture in your organization, the rest of the cybersecurity story, how to build a culture of cybersecurity, what russia’s ongoing cyberattacks in ukraine suggest about the future of cyber warfare, 7 pressing cybersecurity questions boards need to ask, cybercrime’s covid-19 surge—and what we can do about it, design for cybersecurity from the start, mit cybersecurity expert shares tips to avoid holiday scammers this monday, how yahoo built a culture of cybersecurity, the domino effect: secure your supply chain to thwart cyberattacks, is third-party software leaving you vulnerable to cyberattacks, cyberattacks are inevitable. is your company prepared, 3 ways leaders can build a stronger security culture, course offerings.

Advanced cybersecurity strategies boost shareholder returns

Companies demonstrating advanced cybersecurity performance generate a shareholder return that is 372% higher than their peers with basic cybersecurity performance, according to a new report from Diligent and Bitsight.

Boards under pressure to fortify cyber oversight

The escalation in the frequency and severity of cyber incidents has positioned cyber risk as one of the foremost challenges confronting boards. With cyber threats becoming increasingly sophisticated and pervasive, boards are under pressure to effectively address cybersecurity risks to safeguard their organizations’ interests.

With projected financial losses from data breaches estimated to reach approximately USD 10.5 trillion by 2025, and new pressure from regulators like the SEC , the oversight role of the board becomes even more crucial. Boards are prioritizing robust oversight mechanisms to mitigate cyber risk and protect their organizations’ financial health and reputation.

However, the approaches boards take to address cyber risk vary, prompting questions about the effectiveness of different board governance structures and strategies.

The report also reveals that highly regulated industries, such as healthcare and financial services, have the highest cybersecurity ratings, and companies with either a specialized risk committee or audit committee achieve better cybersecurity performance compared to those with neither, with ratings of 710 and 650 respectively.

“These findings show that cybersecurity is not just an IT problem — it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” said Dottie Schindlinger , Executive Director of the Diligent Institute. “With increased pressure from regulators for organizations to demonstrate how they oversee cybersecurity, now is the time for boards and leaders to build their competency around cyber risk.”

“Cybersecurity is no longer about simply mitigating risk, it’s now a key indicator of financial performance. Companies must treat cybersecurity as a cornerstone of their business strategy, guided by clear, ambitious benchmarks, and backed by the full support of their boards,” added Dr. Homaira Akbari , CEO of AKnowledge Partners, Board of Director member for Banco Santander and Landstar System and member of Bitsight’s Advisory Board.

Security rating and financial performance

Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings.

The average total shareholder return (TSR) for companies with advanced security performance ratings over a five-year and three-year period was 71% and 67%, respectively, while companies in the basic performance range delivered 37% and 14% TSR over the same time frames.

Companies with a higher number of independent directors are more likely to have advanced security ratings. About 76% of directors on the boards of these companies with advanced security ratings are independent, compared to 66% in the basic security performance category.

Specialized risk or audit committees enhance cybersecurity performance

The median cybersecurity rating for companies with specialized risk committees is 730, compared to 720 for companies with just audit committees, indicating there is not a significant difference in the ability of the audit committee to oversee cyber risk compared to a specialized risk committee.

Having a cybersecurity expert on the general board is not enough – those experts need to be directly involved with cyber oversight. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, whereas companies with cybersecurity experts on the general board, but not on either committee attain a security rating of 580.

Highly regulated industries excel in cybersecurity compared to others

The healthcare sector had the highest average security ratings overall at 730. Of the companies with advanced security performance ratings, 33% came from the financial services sector, with an average rating of 720.

By comparison, 24% of companies with basic security performance ratings came from the industrials sector, and the sector with the lowest overall performance rating was the communications sector, at 630.

“The research shows that market leading companies that prioritize cyber risk management outperform their peers,” said Derek Vadala , Chief Risk Officer, Bitsight. “This cannot be achieved without a strong understanding of cybersecurity performance and clear benchmarks shared across the executive team and board. The role of the CISO has shifted. Cyber risk is a key component of business performance.”

cybersecurity
data breach

Our Network

Computerworld
Network World

Report suggests cybersecurity investment, board involvement linked to better shareholder returns

The study by Diligent and Bitsight points to advanced security and strong risk or audit committees as good predictors of an enterprise’s financial success.

Group Of Businesspeople Meeting for collaboration In Modern Boardroom

Cybersecurity preparedness and financial success are strongly correlated with companies that maintain strong security measures, outperforming peers with only basic defenses by as much as 372% in shareholder returns, according to a report by Diligent and Bitsight.

The report, which analyzed data from more than 4,000 global companies, found that over a three-year period, the average total shareholder return for companies with advanced security performance ratings was 67%, compared to 14% for companies with only basic ratings.

Over a period of five years, companies in the advanced performance range showed an average total shareholder return of 71%, while those in the basic performance range recorded an average return of 37%.

“Some of the companies with high cybersecurity scores are in high-growth sectors, such as technology, that have had strong financial performance over the last several years,” the report’s authors said. “Additionally, the improved performance may also stem from the fact that companies in the advanced security performance bracket also possess robust governance fundamentals.”

While it might be a stretch to draw a direct link between better financial performance and good cybersecurity, “we know that the insurance industry is beavering away to pool actuarial data together,” Gareth Lindahl-Wise, CISO of managed detection and response provider Ontinue, told CSO. “What is indisputable is the positive advantage organizations derive from perceived and actual high levels of cybersecurity performance on reputation.”

Risk and audit committees linked to better cybersecurity performance

The report also found that companies with specialized risk or audit committees demonstrated a more robust cybersecurity performance than those without either. The report’s rating system assessed companies a cybersecurity rating between 250 and 900 — those with specialized risk committees received a median rating of 730 and those with audit committees a median rating of 720.

The report emphasizes the direct involvement of cybersecurity experts within these committees as a critical factor. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, significantly higher than the 580 rating for companies with such experts only on the general board.

The report also highlights that highly regulated industries typically outperform others. The healthcare sector led with an average security rating of 730, while the financial services sector accounted for a significant proportion (33%) of companies that demonstrated advanced security performance, with an average rating of 720. Conversely, 24% of companies with basic security performance came from the industrial sector. The communications sector, according to the report, has the lowest overall performance rating at 630.

Highly regulated companies and industries traditionally adopt cyber programs and best practices more quickly because they’re used to, and better at, managing their risk, said Dave Gerry, CEO of cybersecurity firm Bugcrowd. “Ensuring that they are in compliance with the regulatory requirements they face is in their culture; adding cyber is simply another requirement they need to comply with,” he added.

More board involvement means more internal scrutiny

Companies with audit committees typically fare better than others when it comes to cybersecurity because of internal scrutiny, Lindahl-Wise said. “An informed audit (and more often an audit and risk committee) is more aware and aligned to the actual risks organizations are facing and will hold them to remediation plans than generic risks regulations focus on,” he said. “One envisages that the time to remediation of risks will be quicker with organizations with active audit committees in place.”

Companies with robust cybersecurity measures are not only taking concrete measures to protect their systems and sensitive data, but modern, next-generation solutions can also streamline operations and make employees more efficient, said Patrick Tiquet, vice president of security and architecture at Keeper Security. For example, a digital password manager can autofill passwords and reduce help-desk costs by significantly lowering the number of password-reset requests. “Automating routine tasks like these allows organizations to free up valuable resources they can then direct towards their business growth and strategic initiatives.”

Most popular authors

Show me more

A Zero Trust approach for remote access in utilities is essential

Your employees are using sensitive corporate devices for personal browsing

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

LockBit feud with law enforcement feels like a TV drama

CYB400 Project Two Presentation Joshua Baker

Information Systems

IMAGES

Cybersecurity Presentation Guide For Security And Risk Leaders
Unique Cyber Security Board Presentation PPT & Google Slides
Cybersecurity Board Presentation Template for CISOs
Cybersecurity Dashboard With Risk And Compliance
Creative Cyber Security Board PPT and Google Slides
PPT

VIDEO

Cybersecurity Laws Presentation CYB-220
Preparing for the New Era of Cybersecurity Disclosure
Cybersecurity Poster Presentation
Organization Cybersecurity Policy and Executive Summary
CyberSecurity presentation
Oversight Board Webinar (October 2020)

COMMENTS

The 15-Minute, 7-Slide Security Presentation for Your Board of Directors
The 15-Minute, 7-Slide Security Presentation for Your Board of Directors. November 05, 2019. Help the board understand why cybersecurity is critical to the business. When the request comes in to give a cybersecurity presentation to the board, security leaders should jump at the chance to educate the executives.
What To Include In Your Cybersecurity Board Of Directors Presentation
Below are some of the topics you may want to cover in your first presentation: A high-level overview of different threat actors. How you generally approach cybersecurity: Who is in charge, how you work together, what the components are, etc. Risks to your cybersecurity environment (i.e., the things you're concerned about).
Cybersecurity Presentation Guide For Security And Risk Leaders
This means that cybersecurity risk at an enterprise level is not only a board discussion, but also a personal liability for board members. "Communication and reporting is more an art than a science," Olyaei says. "Security leaders must be able to educate, assure, empower and inform the board within the specific period of time allotted to ...
PDF Effective CISO Presentations to the Board
risk, and your board wants to hear it. In a recent Diligent survey, we asked directors to name the issue that gives them the most concern if they were to confront it in a crisis. Cybersecurity topped the list by a huge majority, at 75%, with supply chain disruption coming in a distant second at 46%. Yet 41% of our respondents also told us that
12 tips for effectively presenting cybersecurity to the board
Here, several experienced leaders share their advice for presenting to the board: 1. Do more prep work. Executives are expected to prepare written reports for distribution to board members in the ...
Presenting to BOD
Vietnam. Virgin Islands (British) Virgin Islands (U.S.) Wallis And Futuna Islands. Western Sahara. Yemen. Zambia. Zimbabwe. Download Presenting to BOD, built by SANS Instructor Lance Spitzner, a slide deck on how to prepare for and present to Board of Directors on Cybersecurity.
CISO's Guide to Presenting Cybersecurity to Board Directors
Effective communication is a crucial aspect of delivering a successful cybersecurity presentation to the board of directors. By considering the following strategies, you can ensure that your message is both clear and impactful. Using Clear and Concise Language. It is essential to avoid over-technical security language when speaking with the board.
CISO Board Presentations: 9 Key Slides You Need
There are 4 key parts to your board presentation: 1. Summarize the last meeting and refresh your Board about your cybersecurity framework. Summarize the takeaways from the previous Board presentation. Follow-up on unresolved issues or any unanswered questions from the previous meeting. Refresh the Board on your security framework. 2.
How CISOs can ace board presentations
For example, a CISO may have 30 minutes with the board committee and only 20 minutes with the full board. Format: How CISOs choose to present the materials to the board. The format of an update is usually a brief summary with an appendix. For example, CISOs may provide the board with a three-page summary that has a 30-page appendix including ...
6 Slides Every CISO Should Use in Their Board Presentation
Sponsorships Available. 1. Level the conversation. Set expectations for your board and overview the conversation. The goal of the next 15 - 20 minutes will be to establish where their enterprise is on cyber risk, where it should be, and how it will get there. 2. Quantify the cyber risk spectrum. Provide a bar chart with breach likelihood for ...
The CISO's Guide to Reporting Cybersecurity to the Board
Explaining key security details to the board. When presenting, it is important to explain cybersecurity matters in a way that both makes sense to and benefits the board. Here are some examples of how you can explain key cybersecurity matters to your board of directors: How to explain intrusion attempts. The word to focus on here is "attempt."
How boards can lead cybersecurity
The board agenda has been crowded since the start of the pandemic, and many issues have acquired new urgency. In this episode of the Inside the Strategy Room podcast, Frithjof Lund, the leader of our board services work, speaks with two cybersecurity experts about how boards of directors should help their organizations ensure they are prepared for potential cyberattacks.
What Your Board Does (& Doesn't) Need To Know About Cybersecurity
4 Things To Emphasize In Your Cybersecurity Presentation To The Board Of Directors 1. Cybersecurity is like any other risk situation. Your board must understand that cybersecurity risk should be treated like any other kind of organizational risk: operational, financial, legal, etc. Boards are less likely to feel comfortable with the subject matter as opposed to, say, financial risk, but ...
A board's guide to the NIST Cybersecurity Framework for better ...
Many directors are concerned about their effectiveness in overseeing cybersecurity. We believe the NIST Cybersecurity Framework can be a particularly useful tool for boards. The framework provides guidance on how directors can engage with company leadership around this critical issue. And, directors don't need to read the framework cover to cover.
CISO series: Talking cybersecurity with the board of directors
Use the board's time effectively. Keep the board educated on the state of cybersecurity. Speak to the board's top concerns. Use the board's time effectively. Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security.
Presenting IT and OT Cybersecurity Strategy to Executives/Board of
Executives and board care about (or tasked to do so) the following few things: risks (regulatory, security, brand/reputation, financial, innovation or lack thereof), revenue / mission and. costs (do more with less) customers and shareholders. A secure, standardized and resilient business operations helps drive all these things towards positive ...
CISO's Guide to Presenting Cybersecurity to Board Directors
Successfully delivering a cybersecurity presentation to the board of directors relies heavily on effective communication. To ensure a powerful and easily
5 Security Questions Your Board Will Definitely Ask
Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer. How to Build an Effective Cybersecurity and Technology Risk Presentation for Your Board of Directors. Develop Key Risk Indicators and Security Metrics That Influence Business Decision Making *Note that some documents may not be available to all Gartner clients.
4 Things Every CISO Must Include in Their Board Presentation
Sample CISO Operational Plan for Information Security. 4. Any Special topics that the board needs to be aware of. Include any special topics that fall outside the scope of the other agenda topics but are worthy of board awareness and/or discussion. These could be M&A activity with significant infosec aspects, leadership changes, or compliance ...
12 tips for effectively presenting cybersecurity to the board
Don't let your board presentation miss the mark. Follow these best practices and common mistakes to avoid when communicating cybersecurity risk to the board. Written by Mary K. Pratt — Contributing writer, CSO. Cybersecurity is a top concern for boards of directors.
Cybersecurity Governance for the Board of Directors
Cybersecurity risk is relevant to every organization of every size. This course is designed specifically for board members and senior leaders of companies who understand the importance of upskilling the boardroom to reflect the patterns of the marketplace and serve the needs of their organization in a time of escalating cybercrime.
Empowering cybersecurity leadership: Strategies for effective Board
How cybersecurity leadership can foster a strong relationship with the Board of Directors. Engaging the board of directors may seem like a difficult task, but there are steps an organization can ...
Cybersecurity And The Role Of The Board
It's highly unusual for a government agency (CISA) to reach out directly to corporate board members. Additionally, on March 9 th, 2022 the SEC issued a 129-page cyber regulation proposal ...
Advanced cybersecurity strategies boost shareholder returns
Having a cybersecurity expert on the general board is not enough - those experts need to be directly involved with cyber oversight. Companies with cybersecurity experts on either audit or ...
Report suggests cybersecurity investment, board involvement linked to
Cybersecurity preparedness and financial success are strongly correlated with companies that maintain strong security measures, outperforming peers with only basic defenses by as much as 372% in ...
PDF IT/Cyber Supervision
• Strong analytical, written, and oral communication skills including strong presentation, and interpersonal skills in dealing with all levels of management, boards of directors and regulatory agencies. • One or more industry certifications such as CISA (Certified Information Systems Auditor), CRISC (Certified Risk
CYB400 Project Two Presentation Joshua Baker (pptx)
Information-systems document from Southern New Hampshire University, 9 pages, ENHANCING CYBERSECURITY POST-ACQUISITION: ADDRESSING BRAINMELD VULNERABILITIES Informing Decision Making for Grey Matter LLC Board of Directors Presenter's Name: Joshua Baker Date: February 20th, 2024 SECURITY ASSESSMENT OVERVIEW: WHAT IS OPENVAS? • Coll

Exploring SASE and SSE Roadmaps with the Two Taylor Swifts of…

CISO’s Guide to Presenting Cybersecurity to Board Directors

Understanding the Board’s Perspective

Developing a Clear Cybersecurity Strategy

Aligning with Business Objectives

Identifying Key Cyber Risks

Setting Priorities for Investment

Effective Communication with the Board

Using Clear and Concise Language

Visualizing Cybersecurity Data

Connecting Cyber Risks to Business Impact

Building a Cybersecurity Culture

Promoting Employee Awareness

Leadership Involvement

Continuous Improvement

Measuring Success

Using Key Performance Indicators

Conducting Regular Reviews

RELATED ARTICLES MORE FROM AUTHOR

2024 Security Service Edge Report [HPE]

2024 VPN Risk Report [HPE]

2024 Insider Threat Report [Securonix]

2023 Content Security Report [Votiro]

EDITOR PICKS

CISO Board Presentations: 9 Key Slides You Need

4 Key Sections In Your Board Presentations

1. Summarize the last meeting and refresh your Board about your cybersecurity framework

2. Present your risk dashboard and review events and changes in risk landscape

3. Review progress against your strategic Infosec roadmap

4. Review any special topic

“Automating” your board-level presentations

Boards and cybersecurity

Our collection of McKinsey insights to help CEOs and directors improve board effectiveness.

Subscribe to the Inside the Strategy Room podcast

Board governance

Explore a career with us

Boards in the time of coronavirus

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

What Your Board Does (& Doesn't) Need To Know About Cybersecurity

Boards need more information about cybersecurity than ever before—and this ebook can help you present it effectively.

4 Things To Emphasize In Your Cybersecurity Presentation To The Board Of Directors

2. Cybersecurity is about risk mitigation, not risk removal.

3. Your proposed risk mitigation strategy.

4. What other organizations have gone through with regard to cybersecurity.

Hit all the high notes in your next cybersecurity board report.

Get the Weekly Cybersecurity Newsletter

A board’s guide to the NIST Cybersecurity Framework for better risk oversight

Download A board’s guide to the NIST Cybersecurity Framework for better risk oversight

{{item.title}}

Thank you for your interest in PwC

CISO series: Talking cybersecurity with the board of directors

Use the board’s time effectively

Keep the board educated on the state of cybersecurity

Speak to the board’s top concerns

Related Posts

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Patch me if you can: Cyberattack Series

Why endpoint management is key to securing an AI-powered future

Cyber Signals: Shifting tactics fuel surge in business email compromise

Building a Resilient World: The ISAGCA Blog

Presenting IT and OT Cybersecurity Strategy to Executives/Board of Directors

Enter your email

Before the Presentation

Presentation (Content Preparation-to-Delivery)

Presentation Content

Taking Inspiration from Different Experts from the Field

Presentation Delivery:

Muhammad Yousuf Faisal

Recent Posts

Subscribe and Get The Latest News

CISO’s Guide to Presenting Cybersecurity to Board Directors

Effective Communication with the Board

Using Clear and Concise Language

Visualizing Cybersecurity Data

Connecting Cyber Risks to Business Impact

Related Posts

Leave a Reply Cancel reply

Cybersecurity Governance for the Board of Directors

Request Course Information