Template For New CISO Presentation To Board of Directors
Template For New CISO Presentation To Board of Directors
Presentation to Board of
Directors
delete this slide after use
Directions
The core presentation is Slides 7-29. Other slides contain instructions and additional materials.
Customize these slides based on the unique context of your organization and industry.
Look out for the Editable box to know which visualizations are modifiable.
Review the guidance in the notes section below each slide.
Use the slides in the appendix section as needed to augment the presentation.
The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You
can request a demo here or start your free trial.
delete this slide after use
Your goal with all your board presentations is to help the Board meet its fiduciary duties. To do this,
you will need to inspire the board’s trust and confidence in you and provide assurance that your
function is effectively managing information risk. This 1st presentation will play a foundational role
in setting you up properly with the Board.
Your best bet is to tell a compelling and simple story. It is more important to be interesting than to
be complete!
delete this slide after use
Revenue
Revenue growth and non-revenue objectives
3 Cost
things Current and future expense
Risk
Compliance, threats to future revenue and
brand reputation
delete this slide after use
Make a compelling case that Provide a general overview of Teach the Board a simple Present Security’s current
cybersecurity and compliance how the organization manages security framework that maturity levels against your
risks pose a meaningful information risk. facilitates risk discussions rather security framework and lay out
business risk and your board than technical discussions about your vision and roadmap for
presentations are designed to cybersecurity and compliance. improvement.
help the Board meet its
fiduciary duty to provide
oversight of risk management.
<company name> Information Security
Update
11/8/21
Twitter
JP
JP Morgan
Morgan Chase
Chase Ashley LinkedIn Friend Finder Verizon Facebook
Madison
Elastic Search
Bell
Sony Pictures Scottrade Ticketfly
Canada
OPM Zoom
The Basic
Consumer Bill of Cybersecurity Act
Federal Breach CCPA
Rights (2015)
Notification Law (2020)
(Upcoming)
HI SB418 NY S5642 (Upcoming)
Data Protection Act
(Upcoming) (Upcoming) GDPR
NIST Cybersecurity Student Digital (2019)
Privacy Act (2018)
Framework
MD SB 613 MA S-120 (1.1) (2018) (Upcoming)
Other Industry (Upcoming) (Upcoming) MLPS 2.0
CIS Critical Security Cybersecure Canada
Relevant Guidelines (2019)
Controls 7.1 California S.B. NIST Privacy (2019)
(20xx) Final Omnibus Rule
(2019) NV 220 framework
24 Update (2013)
(2019) (2020)
(2011) EU-US Privacy
Shield ISO/IEC 27001
PCI DSS 3.2.1 COBIT MS S.B. 2831 MA LD 946 HITECH Act (2013-Present)
FISMA (2016)
(2018) (2019) (2017) (2019) (2009) Fed
(2014)
State-Specific Breach PIPED
GLBA NRC standards LFPDPP
HITRUST CSF ISO/IEC 27001 Notification Laws COPPA Act
(1999) (2007-2009) (2010)
(2007 – Present) (2013) (2003 - Present) (2000) (2000)
5 Principles of Effective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors
1
Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
2 Boards should understand the legal implications of cyber risk as they apply to the company’s specific
circumstances
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk
3 management should be given regular and adequate time on the board meeting agenda
Boards should set the expectation that management will establish an enterprise-wide cyber-risk management
4 framework
Board-management discussion about cyber risk should include identification of which risks to avoid,
5 accept, and mitigate or transfer through insurance, as well as specific plans
Interact with CEO and Manage Incident Manage Security Respond to Regulatory Risk Management
Board Response Architecture Requirements Strategy
Manage Information
Security Vendors
Infosec is a Board-Level Topic
Risk Owners
WE USE THE NIST CYBERSECURITY FRAMEWORK
Capability Description
Attackers breached Equifax’s network through a We continue to invest in protective controls. This
Protect known vulnerability that was not patched and were year we are deploying EDR and email security,
able to penetrate deeper due to a flat network. and reducing mean-time-to-patch below 30 days.
Equifax’s detection capabilities were hampered by We have invested heavily in our monitoring
Detect their lack of visibility into the use of expired and capabilities. Our 24x7 SOC keeps a vigilant eye
self-signed certificates in their network. out for anomalies in traffic patterns.
Equifax waited a full month before announcing the In case of breach, we have a detailed plan to
Respond breach, and when they did so it was using a web contact the authorities and inform our
domain that was not secure. customers.
Recover
CYBERSECURITY POSTURE MATURITY
Identify
Protect
Detect
Respond
Recover
Partial Informed Repeatable Adaptive
CYBERSECURITY KPIs: RISK, LIKELIHOOD & IMPACT
40
35
30
$M 25
$17M 48% $35M 20
15
10
5
Risk Likelihood Impact 0
Q3 '19 Q4 '19 Q1 '20 Q2 '20
Editable There is a 48% chance that we will have an impact of $35M from a cybersecurity event this year.
RISK BY BUSINESS AND ATTACK TYPE
Breach Likelihood by Business Unit Breach Risk by Business Unit – Q/Q Breach Likelihood by Attack Vector
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% $0M $05M $10M
Editable
WE USE THIS WIDGET TO PROVIDE A BIRD’S EYE VIEW OF
CYBERSECURITY POSTURE
0.8
0.6
0.4
0.2
0
Q3 '19 Q4 '19 Q1 '20 Q2 '20
CYBERSECURITY KPIs: MEAN-TIME-TO-RESOLVE
continuous
monitoring
Indicators of
vulnerabilities, attack
or compromise
contain
Infosec is a Board-Level Topic
Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool
Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
CYBERSECURITY POSTURE GOALS
The Balbix platform uses AI to help discover and analyze your assets and attack
surface to Identify areas of greatest risk. This is foundational to effective
capabilities for Protect , Detect , Respond and Recover .
IDENTIFY
Maturity Level
• Incomplete or manual • Automatic asset discovery • Previous level capabilities • Previous level capabilities
inventory and inventory
• New vulnerabilities and risk • Risk is understood in units
• Incomplete and non- • Continuous vulnerability items are automatically of currency
continuous vulnerability assessment across 100+ mapped to risk owners
assessment attack vectors incl. people • Different mitigation
• Risk owners are notified scenarios are simulated
• Can quantify the impact of about risk items that require and compared
deployed mitigations on risk action
PROTECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Strong Identity • Automated management of
• Some basic protections in • EDR and VPN deployed, vulnerabilities and risk
place such as anti-virus and security awareness training • Continuous security & risk items
Internet firewall training of people
• Continuous vulnerability • Zones and Adaptive Trust
management for the majority • Partially segmented
of organization’s assets network • Periodic penetration testing
of defenses
Balbix can help your organization implement important Identify and Protect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Protect
delete this slide after use
DETECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Advanced SOC with • Proactive threat hunting
• Security Operations Center • Basic SOC with partial comprehensive monitoring capabilities
(SOC) not implemented monitoring coverage of and detect coverage of
security events from security events • Prioritization of SOC
organization’s assets activities based on Risk
Balbix can help your organization implement important Identify and Detect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Detect
delete this slide after use
RESPOND
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Respond Plan • Optimized Respond Plan
• No formal Respond Plan • Manual Respond Plan for for all enterprise assets for all enterprise assets
critical organization assets
• Periodic review and update
of Respond Plan
RECOVER
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Recover Plan • Recover Plan optimized for
• No formal Recover Plan • Manual Recover Plan for for identified critical assets timely restoration of assets
critical organization assets and functions based on
• Periodic review and update business criticality
of Recover Plan
Assign to
Prioritized list of
another owner
Vulnerabilities
and Risk Items
Continuous Assessment Evaluation of
Automatic Asset Dispatch to
of Vulnerabilities and Vulnerabilities
Inventory Risk Owners
Risk Issues and Risk Issues
Periodic
Review of
Some risk Issues are Exceptions
Balbix sensors and other IT and automatically accepted
Cybersecurity Data Sources based on specific
enterprise context
LEARN MORE ABOUT BALBIX
Request a Demo
Good Luck!