Template For Recurring CISO Presentation To Board of Directors
Template For Recurring CISO Presentation To Board of Directors
Template For Recurring CISO Presentation To Board of Directors
Directions
The core presentation is Slides 7-21. Other slides contain instructions and additional materials.
Customize these slides based on the unique context of your organization and industry.
Look out for the Editable
box to know which visualizations are modifiable.
Review the guidance in the notes section below each slide.
Use the slides in the appendix section as needed to augment the presentation.
The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You
can request a demo here or start your free trial.
delete this slide after use
Your goal with this presentation is to help the Board meet its fiduciary duties. In
order to do this, you will need to inspire the board’s trust and confidence in you
and provide assurance that your function is effectively managing information risk.
Your best bet is to tell a compelling and simple story. It is more important to be
interesting than to be complete!
delete this slide after use
Consider:
• Are you presenting good or bad news? Do you want the board to feel happy about the
progress Infosec is making? Or is this bad news because you don’t have funding for
everything that absolutely needs to be done?
• How happy do you want them to feel? Excited because cybersecurity posture is indeed
better? Mildly concerned that some risks are manifesting but you have them under
control? Or deeply concerned because there are “someone might go to jail-level” security
holes?
delete this slide after use
Many CISOs cannot quantify and equate cyber risk in dollars and cents of expected loss.
Remember the common currency that everyone understands is money. If you speak in relative
terms, like high, medium or low risk your board member has no real idea if your definition of
“medium” is ”an acceptable level of risk”. When you quantify in money terms, this becomes easy.
delete this slide after use
Summary of our Last Events and Changes in Performance against Special Topic
Meeting Risk Landscape Strategic Infosec Goals
Summarize the takeaways from Update the Board on the overall Present Infosec’s progress towards This section is optional and
the previous Board presentation. risk landscape, including and your strategic objectives that you may be used to discuss any
Follow-up on unresolved issues or notable events. Highlight risks that presented earlier to the Board. Be topics that fall outside the
any unanswered questions from require immediate action. Present Transparent about any setbacks and scope of the other agenda
the previous meeting. Refresh the mitigation strategies and explain say how you are managing through topics. For example, relevant
Board on your security how the Board can help. these. topics include M&A activity, a
framework. data breach, etc.
<company name> Cybersecurity
Update
7/14/21
Special Topic
WE USE THE NIST CYBERSECURITY FRAMEWORK
Capability Description
Special Topic
RISK SNAPSHOT AND TREND
40
35
30
$M 25
$17M 48% $35M 20
15
10
5
Risk Likelihood Impact 0
Q3 '19 Q4 '19 Q1 '20 Q2 '20
Editable There is a 48% chance that we will have an impact of $35M from a cybersecurity event this year.
RISK BY BUSINESS AND ATTACK TYPE
Breach Likelihood by Business Unit Breach Risk by Business Unit – Q/Q Breach Likelihood by Attack Vector
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% $0M $05M $10M
Editable
RISK DETAIL HIGHLIGHT
3. We are working hard to mitigate this risk by rolling out better Top Projects
capabilities to identify and prioritize vulnerabilities, EDR and
email security. Some progress has been made as evident in 1. AI for Visibility & VM
recent risk reduction for the business unit: Academic & 2. EDR
Professional. 3. Email security
LEARNINGS FROM RECENT BREACHES
Attackers breached Equifax’s network through a We continue to invest in protective controls. This
Protect known vulnerability that was not patched and were year we are deploying EDR and email security,
able to penetrate deeper due to a flat network. and reducing mean-time-to-patch below 30 days.
Equifax’s detection capabilities were hampered by We have invested heavily in our monitoring
Detect their lack of visibility into the use of expired and capabilities. Our 24x7 SOC keeps a vigilant eye
self-signed certificates in their network. out for anomalies in traffic patterns.
Equifax waited a full month before announcing the In case of breach, we have a detailed plan to
Respond breach, and when they did so it was using a web contact the authorities and inform our
domain that was not secure. customers.
Recover
Summary of our Last Meeting
Special Topic
PROGRESS IN CYBERSECURITY POSTURE
Identify
Protect
Detect
Respond
Recover
Partial Informed Repeatable Adaptive
PROGRESS IN CYBERSECURITY POSTURE
On Schedule Delayed Paused Planned
Capability Initiatives
Implement continuous cybersecurity
Identify posture visibility. Build risk owner’s Deploy Balbix
Asset Criticality
Analysis
Build risk group hierarchy
and assign risk owners
matrix and update quarterly.
Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool
Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
STRATEGIC INITIATIVE: AUTOMATION
Industry avg. for MTD is 15 days, MTTR is 120+ days
Our exposure
Emergence of Risk,
e.g., newly discovered
vulnerability Resolution
tX tD tR time
Mean Discovery Mean Time To
Time (MDT) Resolve (MTTR)
PROGRESS IN CYBERSECURITY POSTURE
Special Topic
SPECIAL TOPIC
Use this section to address special topics that do not fit within the other sections of the
presentation and are worthy of Board awareness and/or discussion.
5 Principles of Effective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors
1
Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
2 Boards should understand the legal implications of cyber risk as they apply to the company’s specific
circumstances
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk
3 management should be given regular and adequate time on the board meeting agenda
Boards should set the expectation that management will establish an enterprise-wide cyber-risk management
4 framework
Board-management discussion about cyber risk should include identification of which risks to avoid,
5 accept, and mitigate or transfer through insurance, as well as specific plans
Interact with CEO and Manage Incident Manage Security Respond to Regulatory Risk Management
Board Response Architecture Requirements Strategy
Manage Information
Security Vendors
CYBERSECURITY POSTURE MATURITY & GOALS
Identify
Protect
Detect
Respond
Recover
Partial Informed Repeatable Adaptive
CYBERSECURITY POSTURE PROJECTS
Capability Initiatives 2020 2021
Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool
Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
delete this slide after use
The Balbix platform uses AI to help discover and analyze your assets and attack
surface to Identify areas of greatest risk. This is foundational to effective
capabilities for Protect , Detect , Respond and Recover .
IDENTIFY
Maturity Level
• Incomplete or manual • Continuous asset discovery • Previous level capabilities • Previous level capabilities
inventory and inventory
• New vulnerabilities and risk • Risk is understood in units
• Incomplete and non- • Continuous vulnerability items are automatically of currency
continuous vulnerability assessment across 100+ mapped to risk owners
assessment attack vectors incl. people • Different mitigation
• Risk owners are notified scenarios are simulated
• Can quantify the impact of about risk items that require and compared
deployed mitigations on risk action
PROTECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Strong Identity • Proactive management of
• Some basic protections in • EDR and VPN deployed, vulnerabilities and risk
place such as anti-virus and security awareness training • Continuous security & risk items
Internet firewall training of people
• Continuous vulnerability • Zones and Adaptive Trust
management for the majority • Partially segmented
of organization’s assets network • Periodic penetration testing
of defenses
Balbix can help your organization implement important Identify and Protect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Protect
delete this slide after use
DETECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Advanced SOC with • Proactive threat hunting
• Security Operations Center • Basic SOC with partial comprehensive monitoring capabilities
(SOC) not implemented monitoring coverage of and detect coverage of
security events from security events • Prioritization of SOC
organization’s assets activities based on Risk
Balbix can help your organization implement important Identify and Detect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Detect
delete this slide after use
RESPOND
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Respond Plan • Optimized Respond Plan
• No formal Respond Plan • Manual Respond Plan for for all enterprise assets for all enterprise assets
critical organization assets
• Periodic review and update
of Respond Plan
RECOVER
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Recover Plan • Recover Plan optimized for
• No formal Recover Plan • Manual Recover Plan for for identified critical assets timely restoration of assets
critical organization assets and functions based on
• Periodic review and update business criticality
of Recover Plan
Assign to
Prioritized list of
another owner
Vulnerabilities
and Risk Items
Continuous Assessment Evaluation of
Automatic Asset Dispatch to
of Vulnerabilities and Vulnerabilities
Inventory Risk Owners
Risk Issues and Risk Issues
Periodic
Review of
Some risk Issues are Exceptions
Balbix sensors and other IT and automatically accepted
Cybersecurity Data Sources based on specific
enterprise context
LEARN MORE ABOUT BALBIX
Request a Demo
Good Luck!
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: