Over the last several weeks, we’ve delved into the deep fears we hear come out of the mouths of CIOs and CISOs alike when we meet them in customer meetings and at industry events throughout the country. From having the right people to the proper portfolio of technology, there is a great fear of the unknown – especially as it pertains to cyberattacks.
This week, we’ll share another fear we hear often: How can I convince my Board of Directors cyberthreats are real and we need funding to stop it?”
Boards realize cyberattacks need to have its own separate conversation apart from the general governance, risk and compliance baked into most meetings. Increasingly, boards across the country are requesting regular briefings on their companies’ cybersecurity readiness.
If you are a new CIO or CISO – or your organization has just begun this practice – it’s absolutely critical you establish credibility when you present to your board of directors. You don’t want to come across as the boy who cried wolf, but you also don’t want senior management to feel as though it wasn’t adequately kept apprised of the very real threats your company face.
It’s fair to say that if you’ve never briefed the board before about cybersecurity, your questions are going to be far different than they will be after you’ve had a few meetings under your belt. We’ve outlined some of the topics you should include in your cybersecurity presentations to the board – whether you’re a first timer or a regular in boardroom.
If this is your first presentation to the board, your goal should be to provide a very high-level overview. Give a short background on cybersecurity, what it means to your company, and why your department is concerned.
Remember to speak in a language the board will understand. You’re not at the RSA or Black Hat conferences – you’re in a room with seasoned management professionals. Cut out technical jargon. Talk in terms of risk management, stock price, and bottom line.
As you’re putting together your presentation, consider discussing the following:
- High-level overview of the different cyberthreats and risks to your environment
- Your general approach to cybersecurity
- Current programs you have in place for cybersecurity, from a strategy, technology, and employee training perspective
- Data you believe to be most critical or sensitive, which must be protected at all costs
- Critical business operations impacted by a cyberincident
- Examples of cyberincidents in your industry
- Where you need the board’s assistance
- Your existing cybersecurity policies
The beauty of going over these topics is that it sets the right tone for your board of directors. Moving forward, you can dig a little deeper.
Subsequent board meeting cybersecurity topics
Your focus should shift, as now the board can be briefed on the effectiveness of the risk management tactics you’re implementing. Basically, explain what’s working, where are you encountering challenges, and what you need from the board to navigate your obstacles.
Make sure you include the following topics when you update the board:
- Update on cybersecurity technology you’ve purchased and integrated
- An overview of any new technology you wish to purchase and why
- Metrics review in two key areas: Audit & Compliance (e.g. ISO-27001, vendor risk management, audit assessments, and NIST framework) and Operational Effectiveness (network access, incident response time, cybersecurity employee training, benchmarking against peers)
No matter how you go about these meetings, it’s most important to provide a clear, cogent analysis of the risks your company faces from cyberattacks and how you want to partner with the board to assuage them. US Cyber Vault can help: We have the right mix of seasoned intelligence agents, next-generation secure infrastructure, and eminent scalability to meet your cybersecurity needs. Visit our website to learn more about our secure cloud computing, storage and managed security services.