<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Benchmarking

What to Expect in Your CISO’s Cybersecurity Presentation

Tom Turner | May 11, 2018

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.

However, not all directors are familiar with cybersecurity operations and how to assess the associated risks. If you’re a newer member of your company’s board, you may wish to review some of the following topics that you should expect from security and risk teams in their cybersecurity presentations.

Navigating Your First Briefing

If this is your first time listening to a cybersecurity presentation at a board meeting, you can expect the chief information security officer, or CISO, to provide a short background on the company’s cybersecurity practices and how they define cybersecurity in their organization. They’ll also discuss how the board should approach oversight of cybersecurity. The most effective CISOs talk in terms of risk management, which means cutting out technical jargon and focusing on business value. They may also draw the board’s attention to cybersecurity’s impact on stock price and bottom line to establish a common language.

Below are some of the topics you can expect to be reviewed:

  • How the company generally approaches cybersecurity, including the organizational structure.
  • The company’s security performance benchmarked against industry peers.
  • Risks to the company’s cybersecurity environment.
  • The types of data that security teams think is most critical or sensitive to your company’s continued operations.
  • The critical operations that could be impacted by a cyber incident.
  • Some of the key external threats, insider threats, and third-party risks the CISO believes the company faces. This may include examples of cyber incidents that have occurred in other organizations in your sector or beyond.
  • How they envision board member involvement in cyber-risk oversight and to which types of issues the board should be involved in the response.
  • The cybersecurity and risk management programs the organization has in place.
  • How employees are trained on security internally.
  • The cybersecurity policies the company has in place today and the effectiveness of compliance with those policies.
  • They type of information they plan to share in future presentations.

What to Expect Going Forward

Now that you’ve experienced your first cybersecurity presentation as a board member, you can expect that the CISO will continuously educate you and the rest of the board on critical issues. You can expect to be briefed on the effectiveness of the risk management tactics the company is employing. In other words, you should know where and how the company is succeeding or failing (and how that compares to previous quarters), as well as any areas that need strategic improvement.

Here are some topics you can expect from the CISO in their ongoing security presentations to you and the rest of the board:

  • Technology that the company has purchased and integrated—with a focus on what it is doing for the organization.
  • Technology the CISO wants to purchase and why.
  • The accountability metrics the security team has created, categorized in the following ways, and followed by questions directors should ask the reporting CISO:
    • Audit & Compliance Metrics
      • Are we ISO-27001 compliant?
      • Do we have a vendor risk management program?
      • Do we have any outstanding high-risk findings open from our last audit or assessment?
      • What percentage of the NIST framework are we implementing?
    • Operational Effectiveness Metrics
      • How quickly can we remove employee network access?
      • How quickly can we (or our vendors) identify and respond to incidents?
      • What percentage of our users click on spear-phishing training emails?
      • How did we compare to our peers across certain time spans?

There is a lot to consider and process when listening to an effective cybersecurity presentation. Be sure to prepare yourself beforehand so that you know what to expect and can contribute to future meetings accordingly. 

This blog post originally appeared on NACD’s blog.

BitSight Security Ratings Snapshot

Suggested Posts

Why Establishing Cybersecurity Benchmarks is a Must for Organizations

Effective cybersecurity involves regularly assessing the effectiveness of your organization’s policies, tools, and processes to ensure you’re staying ahead of the curve. In order to gain insight into your cybersecurity performance, you...

READ MORE »

The State of Security in the Boardroom

In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about their company’s security performance. In fact, the NACD has found that 89% of public companies and 72% of private companies regularly...

READ MORE »

Tips for Picking the Right Security Benchmarking Solution

Quantifying and tracking your cybersecurity performance so you can compare your organization to others, also known as benchmarking, is necessary to improving the effectiveness of your security programs.

READ MORE »

Subscribe to get security news and updates in your inbox.