<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Security in the Board Room

What Your Board Does (& Doesn't) Need To Know About Cybersecurity

Melissa Stevens | August 30, 2017

Special thanks to Venky Ganesan, the managing director of Menlo Ventures, for his insights into this topic.

cybersecurity-money-managers-cartoon.jpgCybersecurity training for boards of directors has become more common in recent years. But just because cybersecurity in general is being more widely discussed, that doesn’t mean the right information is always being passed along

Your board doesn’t need….

  • A tremendous level of technical detail on your cybersecurity program. For instance, the type of security architecture you’re using isn’t of the utmost importance during a board presentation.
  • Multiple individuals in charge of reporting cybersecurity. Instead, appoint one person to consistently report to the board.
  • Overstated cybersecurity risk. Consistently exaggerating the level of risk your organization is facing won’t help you in the long run.

Boards need more information about cybersecurity than ever before—and this ebook can help you present it effectively.


Whether you’re a CISO or someone else who is tasked with reporting cybersecurity to the board, how do you determine exactly what they need to know? The four things below will get you started.

4 Things To Emphasize In Your Cybersecurity Presentation To The Board Of Directors

Reporting-Cybersecurity-To-The-Board

1. Cybersecurity is like any other risk situation.


Your board must understand that cybersecurity risk should be treated like any other kind of organizational risk: operational, financial, legal, etc. Boards are less likely to feel comfortable with the subject matter as opposed to, say,  financial risk, but cybersecurity requires the same level of emphasis.

2. Cybersecurity is about risk mitigation, not risk removal.


Now that your board knows they’re taking on a risk situation, they need to know your proposed strategies to mitigate that risk. Note the use of the word mitigation, not removal. As Venky Ganesan, managing director of Menlo Ventures, puts it, “You can’t avoid hurricanes. But you can know a hurricane is going to happen and have a clear idea of what to do when it hits.”

3. Your proposed risk mitigation strategy.


While your board doesn’t need to know technical details, it does need conceptual understanding of the overall mitigation strategy. For example:

  • What policies and procedures are in place if a breach takes place?
    • Who gets notified in the event of a breach?
    • How does an event get escalated?
  • What insurance policy do we have in place?
  • How will our continuous monitoring platform help us?   
  • What remediation techniques are in place post-breach?

4. What other organizations have gone through with regard to cybersecurity.


To help board members truly appreciate the criticality of cybersecurity, highlight the experience of other companies. “Cybersecurity can be a very abstract concept,” explains Ganesan. “What is not abstract is knowing what has happened to other companies in case of a breach, and the consequences of that breach.” Consider the 2013 Target breach, in which many of Target’s board members were sued and an oversight committee recommended replacing the board.

Additionally, you may want to highlight any regulatory pressures in your business or industry relating to cybersecurity and how to address those appropriately.

Hit all the high notes in your next cybersecurity board report.

It’s one thing to keep these four elements in mind regarding cybersecurity risk and the board of directors—but it’s another to make sure that presentation is compelling. Are you prepared? You will be in no time with this guide.

It will help you nail down your presentation goals and style, and determine which metrics your board will care about the most; it also offers a number of helpful presentation tips. Download the guide for free below!

New Call-to-action

Suggested Posts

Do's and Don'ts for Security Professionals Presenting to Senior Executives

Cybersecurity is a growing topic of discussion in Board meetings everywhere, and more and more security professionals are being asked to present on it in high level meetings. Company leadership is busy, so it’s your responsibility to...

READ MORE »

Tips for Explaining Technical Things in Simple Terms to Non-Technical Executives

You don’t have to be a CIO to know that a great IT department is crucial to the success of any large organization. With the rise of big data, artificial intelligence, and the Internet of Things, technology promises to become an even more...

READ MORE »

Announcing BitSight Executive Reports

An increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. A recent joint survey by Veracode and NYSE...

READ MORE »

Subscribe to get security news and updates in your inbox.