Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy to simply throw money at the problem and leave it to IT professionals to handle.
But the world has changed substantially in recent years, and some of the most dramatic changes have only come in 2020. Malicious actors are growing more sophisticated. The attack surface and vendor ecosystems have rapidly expanded, refocusing the security conversation towards digital risk and risk tolerance. Despite large investments in cybersecurity, the frequency and severity of attacks has not decreased—the tactics have simply evolved.
To that end, according to Gartner, there is also increased scrutiny from senior executives and board members on what the return of investment on years of heavy spending on cybersecurity has been. There’s never been a more important time for security and risk professionals to effectively measure, manage, and communicate their security program to senior executives, board members, and external stakeholders.
In this guide, we’ll arm you with information to help you before, during, and after your next board presentation.
Along with giving you best practices on objectives and presentation style, we’ll give some insight into what the board is looking for and explain how to select and discuss cybersecurity metrics. Whether you’re a CISO, a member of a security team, an advisor, or a board member yourself, this information is critical to your company’s sustained security posture.
