Uploaded byjjvdneut
PPTX, PDF2,205 views

Balbix-New-CISO-Board-Deck.pptx

The CISO is presenting to the board of directors to introduce cyber risk management at the company. The presentation covers three key areas: introducing cyber risk and the company's framework for managing it, the strategic roadmap and metrics for the information security function, and establishing information security as a board-level topic. The goal is to help the board understand cybersecurity risks, provide oversight of risk management, and introduce the CISO's vision and plans to improve the security posture.

Embed presentation

Downloaded 69 times
Template for New CISO Presentation to Board Audit Committee or to the Board of Directors
Using this Presentation Template This presentation template will help you organize your first presentation to the board of directors (or the board audit committee). If you have already presented to your board, you should use a different template for recurring CISO presentations which can be downloaded here. Directions  The core presentation is Slides 7-21. Other slides contain instructions and additional materials.  Customize these slides based on the unique context of your organization and industry.  Look out for the box to know which visualizations are modifiable.  Review the guidance in the notes section below each slide.  Use the slides in the appendix section as needed to augment the presentation. The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You can request a demo here or start your free trial. Editable delete this slide after use
You are telling a story… Remember you are communicating about a complex technical topic with people who typically do not have a deep technical background. Your goal with this presentation is to help the Board meet its fiduciary duties. In order to do so, you will need to quantify cyber risk in business terms and map these to your key operational projects and metrics. This 1st presentation will play a foundational role in setting you up properly with the Board. Ultimately what you say will need to inspire the board’s trust and confidence in you and provide assurance that your function is effectively managing information risk. Your best bet is to tell a compelling and simple story. It is more important to be interesting than to be complete! delete this slide after use
What your board cares about… delete this slide after use 3 things Revenue Cost Risk Revenue growth and non-revenue objectives Current and future expense Compliance, threats to future revenue and brand reputation
Objectives of this 1st Presentation  Introduce yourself to the Board  Also re-introduce the Infosec function to the Board  Explain how cybersecurity risks present board-level business risks  Set up a framework for future discussions with the Board  Introduce your strategic vision and roadmap for the Infosec function of your organization delete this slide after use
Decide How You Want Them to Feel Research shows that human beings, including board members, make most decisions emotionally, and then find data to back up what they already decided. CISOs often tend to lead with lots of detailed technical security data, and as a result, they risk being unconvincing. You must decide how they want the board to feel as a result of your presentation, and then select the data to back up the emotional arc of the story. Consider: • Are you presenting good or bad news? Do you want the board to feel happy about the progress Infosec is making? Or is this bad news because you don’t have funding for everything that absolutely needs to be done? • How happy do you want them to feel? Excited because cybersecurity posture is indeed better? Mildly concerned that some risks are manifesting but you have them under control? Or deeply concerned because there are “someone might go to jail-level” security holes? delete this slide after use
Don’t forget the data While it is important to lead with emotion and tell a story, it is very important to follow with data! Many CISOs cannot quantify and equate cyber risk in dollars and cents of expected loss. Remember the common currency that everyone understands is money. If you speak in relative terms, like high, medium or low risk your board member has no real idea if your definition of “medium” is ”an acceptable level of risk”. When you quantify in money terms, e.g., ransomware is a $50M risk item, this becomes easy. delete this slide after use
This presentation template is divided into three sections designed to earn the Board’s trust and to provide a foundation for future CISO presentations to the board. delete this slide after use Introducing Cyber Risk & Infosec Framework Infosec Strategic Roadmap & Metrics Infosec as a Board-Level Topic Explain how you think about Infosec as a board-level topic. Make a compelling case that cybersecurity and compliance risks pose a critical business risk, and your board presentations are designed to help the Board understand these risks and provide oversight of risk management. Provide a general overview of how the organization manages information risk. Present the concept that managing risk is everyone’s job, not just the CISO’s. Introduce your Infosec framework to establish shared vocabulary and facilitate future discussions about cyber maturity, attacks/incidents, mitigation plans, and cyber risk quantification. Present Security’s current state against your security framework and lay out your vision and roadmap for improvement. Establish metrics and supporting data that you will present to track progress towards the annual or quarterly objectives agreed upon with the Board. OUTLINE OF YOUR PRESENTATION
Cyber Risk Update for <Company X> Board of Directors Add Your Logo Here September 18, 2023
ABOUT ME Elizabeth Chen-Reddy Chief Information Security Officer Liz.ChenReddy@company.com [insert photo] My Experience  XXX  YYY  ZZZ Education and Certifications  Degrees  Certifications
Overview of Cyber Risk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
RECENT ATTACKS IMPACTING COMPANY X eCommerce Workforce Infrastructure & Supply Chain Brand Impersonation Website Defacement Exec Phishing Uptick IT Operations Insider Threat – Malaysia OT Supply Chain 90-95% Supply Chain
EVERYTHING HAS CHANGED In the last 12 months, there has been an exponential increase in the speed and intensity of attacks, especially targeting the infrastructure and manufacturing segment. Cyber Risk 2019 2020 2021 $50M $25M 2019 Mean Time of Arrival of New Exploitable Vulnerabilities 2020 2021 30 days 60 days Editable
Strategic Risk Operational Risk Financial Risk Reputational Risk Cyber Breach Risk Compliance Risk A theft of IP leads to bad press and long term value loss A ransomware attack leads to downtime and loss of revenue A compliance violation leads to a big fine and bad press Loss of customer data results in bad press and harms customer trust. INFOSEC MANAGES BUSINESS-LEVEL RISK
5 Principles of Effective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors 1 2 3 4 5 Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue Boards should understand the legal implications of cyber risk as they apply to the company’s specific circumstances Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework Board-management discussion about cyber risk should include identification of which risks to avoid, accept, and mitigate or transfer through insurance, as well as specific plans Source: National Association of Corporate Directors, Cyber-Risk Oversight Handbook, 2020 THE BOARD’S ROLE IN CYBER RISK OVERSIGHT
Overview of Cyber Risk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
THREE LAYERS OF INFORMATION RISK MANAGEMENT Internal Audit Information Security Legal Privacy Compliance HR Layer 1. Risk Owners – in IT or in the Business Units Layer 3. Internal Audit Internal Audit provides the final assurance that information risks are being managed within the organization’s risk appetite. Layer 2. Risk Management Responsibilities: • Mapping assets to risk owners • Identifying and quantifying known and emerging risks • Setting up and facilitating risk management workflows Responsibilities: • Owning and managing risks, e.g., patching software • Maintaining effective security controls • Making daily risk management decisions BU2 BU4 Site1 Site2 Site3 Site5 Site6 Site55 Site6 Asset Type 1 Asset Type 2 Asset Type n BU1 BU3 BUn Site1 BS1 BS2 BS3 Site Business Unit Business Segment Asset Type 1 Asset Type 2 Asset Type n Owner 1 Owner 2 Site21 Owner 3 Owner 4 Owner 6 Owner 5 Owner N Business Segment Business Unit Site
OUR INFOSEC FUNCTION IN DETAIL Manage Information Security Risk Risk Management Strategy Manage Data Classification Manage Employee Awareness & Training Manage Third-Party Risks Evaluate and oversee deployment of new security tools Respond to Regulatory Requirements Maintain Records Management and E- Discovery Manage Data Privacy Operate Security Controls Manage Incident Response Manage Vulnerabilities and other risk items Manage Security Architecture Monitor Systems and Events Manage Business Continuity and Disaster Recovery Plans Interact with CEO and Board Hiring and Training Measure Metrics and Performance Manage Information Security Vendors Manage Information Security Budget Drive Ownership And Accountability Manage Compliance and 3rd Party Risks CISO and Deputy CISO
WE USE THE NIST CYBERSECURITY FRAMEWORK  Understanding and communicating security status  Prioritizing infosec activities  Improving our cybersecurity program  Updating the Board on the organization’s cybersecurity posture  Understanding breaches in the news  Aligning regulatory requirements with broader risk management activities Uses of the NIST Cybersecurity Framework Risk Owners The Board CISO
WE USE THE NIST CYBERSECURITY FRAMEWORK What processes and assets need protection? Implement appropriate safeguards to ensure protection of the enterprise’s assets Implement appropriate mechanisms to identify the occurrence of cybersecurity incidents Develop techniques to contain the impacts of cybersecurity events Implement the appropriate processes to restore capabilities and services impaired due to cybersecurity events Description Identify Protect Detect Respond Recover Capability % Visibility, Breach Impact ($s) of Assets and Scenarios Risk in $s Mean-time-to-detect Max-time-to-respond Max-time-to-recover Metrics
LEARNINGS FROM THE COLONIAL ATTACK Colonial Identify Protect Detect Respond Recover Capability Our Organization Attackers breached Colonial’s network through a compromised credential and were able to quickly penetrate deep due to a flat network. Colonial did not have an up to date inventory of their users and assets and they had big gaps in their vulnerability assessment program. Colonial’s detection capabilities were hampered by their lack of visibility into user activity and the connections between their IT and OT networks. Colonial did not have a good response plan for attacks to the IT network. They had to shut down their OT network as a precautionary measure. We still have some gaps in our cybersecurity visibility and vulnerability management program but have made good progress in recent months. In case of breach, we have a detailed plan to limit damage, contact the authorities and inform our customers. We have invested heavily in our monitoring capabilities. Our 24x7 SOC keeps a vigilant eye out for anomalies in traffic patterns. We continue to invest in protective controls. This year we are deploying MFA and EDR. We are reducing mean-time-to-patch below 30 days. 82% visibility Risk: $37M Detect Time: 50 min Response Time: 4 hours
Overview of Cyber Risk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
CYBERSECURITY POSTURE PROJECTS Initiatives Identify Protect Detect Respond Recover Capability Review & update business continuity plan every quarter Improve incidence response with automated playbooks Implement strong identity with adaptive authentication. Improve security hygiene and patching posture. Update email security. Implement continuous cybersecurity posture visibility. Build risk owner’s matrix and update quarterly. Incorporate threat feeds in SOC workflows. 2021 2022 Deploy Balbix Asset Criticality Analysis Build risk group hierarchy and assign risk owners Deploy Okta Deploy Proofpoint or similar tool Build Balbix workflows for non-patching risk items Improve Patching Posture using Balbix Integrate Recorded Future in SOC Integrate TBD SOAR platform in SOC Review & identify gaps in plan with risk owners Develop plan update to address gaps Implement & test plan Turn on Okta adaptive auth
CYBERSECURITY KPIs: RISK, LIKELIHOOD & IMPACT $37M Risk 48% Likelihood $77M Impact There is a 48% chance that we will have an impact of $77M from a cybersecurity event this year. Editable Breach Risk Trend 0 20 40 60 80 Q4 '20 Q1 '21 Q2 '21 Q3 '21 $M
RISK BY BUSINESS UNIT AND ATTACK TYPE Editable Risk Snapshot by Business Unit $12M $10M $17M $0M $5M $10M $15M $20M Power Tools Lighting Industrial Breach Likelihood by Attack Type 61% 47% 27% 22% 15% 12% 0% 20% 40% 60% 80% 100% Phishing Software Vulnerability Misconfiguration Supply Chain Compromised Credentials Insider Threat Breach Risk Trend $0M $5M $10M $15M $20M $25M Q4'20 Q1'21 Q2'21 Q3'21 Power Tools Lighting Industrial
WE USE THIS WIDGET TO PROVIDE A BIRD’S EYE VIEW OF CYBERSECURITY POSTURE The outer ring is everything “Internet Facing”. This is where attacks begin before burrowing into the core. The inner circle is the core, properly behind the corporate “firewall”. This is where most of our valuable information and critical systems are. Red means high likelihood of breach. Green and Orange is better.
E.g., EFFECTIVENESS OF PROTECTIVE CONTROLS With Current Controls With Current Controls Controls Effectiveness Index 0 0.2 0.4 0.6 0.8 1 Q3 '19 Q4 '19 Q1 '20 Q2 '20 Controls Effectiveness Index 0 0.2 0.4 0.6 0.8 1 Q3 '19 Q4 '19 Q1 '20 Q2 '20
CYBERSECURITY KPIs: MEAN-TIME-TO-RESOLVE continuous monitoring evaluate and dispatch contain Automate Minimize exposure and Risk by remediating vulnerabilities and risk items at high velocity Indicators of vulnerabilities, attack or compromise
STRATEGIC INITIATIVE: AUTOMATION Automating identification, evaluation and resolution of cyber-risk time Mean Time To Resolve (MTTR) Emergence of Risk, e.g., newly discovered vulnerability Resolution tD tR Industry avg. for MTD is 15 days, MTTR is 120+ days Our MTD is now <1hr, MTTR is 6 days tX Mean Discovery Time (MDT) Identification of vulnerable and risky assets Our exposure
CYBERSECURITY POSTURE GOALS Q4 ‘20 Today Target for Q2’22 Breach Risk Change and Target State
Q & A
APPENDIX SLIDES
If you found these slides useful… Balbix can help you with many critical pieces of your Infosec program. The Balbix platform uses AI to help discover and analyze your assets and attack surface to Identify areas of greatest risk. This is foundational to effective capabilities for Protect , Detect , Respond and Recover . Balbix will automatically and rigorously quantify your cyber risk in $s. Balbix also enables you automate critical elements of your cybersecurity program and quantify changes in risk as you improve your cybersecurity posture. The next few slides has some additional delete this slide after use Start your free Balbix trial >>>
CYBER RISK QUANTIFICATION delete this slide after use You can learn more about how to rigorously estimate your cyber risk in money units by analyzing data from your various cybersecurity, IT and business tools. Download this eBook at https://www.balbix.com/resources/how-to- calculate-your-enterprises-breach-risk/
IDENTIFY delete this slide after use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • Incomplete or manual inventory • Incomplete and non- continuous vulnerability assessment • Continuous asset discovery and inventory • Continuous vulnerability assessment across 100+ attack vectors incl. people • Can quantify the impact of deployed mitigations on risk • Previous level capabilities • New vulnerabilities and risk items are automatically mapped to risk owners • Risk owners are notified about risk items that require action • Previous level capabilities • Risk is understood in units of currency • Different mitigation scenarios are simulated and compared Balbix can help your organization implement all capabilities that are needed for Adaptive Level Maturity for Identify.
PROTECT delete this slide after use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • Some basic protections in place such as anti-virus and Internet firewall • “Informed” or higher maturity level for Identify capabilities • EDR and VPN deployed, security awareness training • Continuous vulnerability management for the majority of organization’s assets • Previous level capabilities • Strong Identity • Continuous security & risk training of people • Partially segmented network • Previous level capabilities • Proactive management of vulnerabilities and risk items • Zones and Adaptive Trust • Periodic penetration testing of defenses Balbix can help your organization implement important Identify and Protect capabilities (underlined above) that are needed for increased maturity of Protect
DETECT delete this slide after use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • Security Operations Center (SOC) not implemented • “Informed” or higher maturity level for Identify capabilities • Basic SOC with partial monitoring coverage of security events from organization’s assets • Previous level capabilities • Advanced SOC with comprehensive monitoring and detect coverage of security events • Previous level capabilities • Proactive threat hunting capabilities • Prioritization of SOC activities based on Risk Balbix can help your organization implement important Identify and Detect capabilities (underlined above) that are needed for increased maturity of Detect
RESPOND delete this slide after use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • No formal Respond Plan • “Informed” or higher maturity level for Identify capabilities • Manual Respond Plan for critical organization assets • Previous level capabilities • Automated Respond Plan for all enterprise assets • Periodic review and update of Respond Plan • Previous level capabilities • Optimized Respond Plan for all enterprise assets Balbix’s Identify capabilities (underlined above) are foundational to implement increased maturity of your Respond Plan
RECOVER delete this slide after use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • No formal Recover Plan • “Informed” or higher maturity level for Identify capabilities • Manual Recover Plan for critical organization assets • Previous level capabilities • Automated Recover Plan for identified critical assets • Periodic review and update of Recover Plan • Previous level capabilities • Recover Plan optimized for timely restoration of assets and functions based on business criticality Balbix’s Identify capabilities (underlined above) are foundational to implement increased maturity of your Recover Plan
CYBERSECURITY POSTURE AUTOMATION delete this slide after use Automatic Asset Inventory Continuous Assessment of Vulnerabilities and Risk Issues Evaluation of Vulnerabilities and Risk Issues Dispatch to Risk Owners Periodic Review of Exceptions Some risk Issues are automatically accepted based on specific enterprise context Prioritized list of Vulnerabilities and Risk Items Owner Review Manual or Automated Fix/Mitigation Steps Assign to another owner Accept Risk for some issues and document reasons Automatic Validation Per-owner Prioritized list of Vulnerabilities and Risk Items Global Threat & Vulnerability Data Balbix sensors and other IT and Cybersecurity Data Sources Carrier X Carrier X Carrier X Dashboards & Reporting
LEARN MORE ABOUT BALBIX In 30 minutes, we will show how Balbix can help you automate your cybersecurity posture. With Balbix, you will use AI, automation and gamification to discover, prioritize and mitigate your unseen vulnerabilities at high velocity. You will also be able to quantify your cyber risk in $-terms, traceable to operational metrics and asset attributes driving this risk. You will be presented with practical actions you can take to mitigate this risk. Request a Demo https://www.balbix.com/request-a-demo/ A single, comprehensive view of cybersecurity posture
Good Luck! delete this slide after use Start your free Balbix trial >>>

More Related Content

PPT
cyber security incident exercises TTX .ppt
byZharfanHanif
 
PDF
PwC Point of View on Cybersecurity Management
byCA Technologies
 
PPSX
Board and Cyber Security
byLeon Fouche
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
PPTX
Build an Information Security Strategy
byAndrew Byers
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
cyber security incident exercises TTX .ppt
byZharfanHanif
 
PwC Point of View on Cybersecurity Management
byCA Technologies
 
Board and Cyber Security
byLeon Fouche
 
The Board and Cyber Security
byFireEye, Inc.
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
Building an effective Information Security Roadmap
byElliott Franklin
 
Build an Information Security Strategy
byAndrew Byers
 
Risk Management Approach to Cyber Security
byErnest Staats
 

What's hot

PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
SOC Architecture - Building the NextGen SOC
byPriyanka Aash
 
PDF
Building A Security Operations Center
bySiemplify
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
PDF
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
PDF
Governance of security operation centers
byBrencil Kaimba
 
PPTX
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
byDragos, Inc.
 
PPTX
New Paradigms for the Next Era of Security
bySounil Yu
 
PDF
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
PDF
Bulding Soc In Changing Threat Landscapefinal
byMahmoud Yassin
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
PPTX
Cyber Defense Matrix: Reloaded
bySounil Yu
 
PPTX
7 Steps to Build a SOC with Limited Resources
byLogRhythm
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
SOC Architecture - Building the NextGen SOC
byPriyanka Aash
 
Building A Security Operations Center
bySiemplify
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
Governance of security operation centers
byBrencil Kaimba
 
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
Dragos S4x20: How to Build an OT Security Operations Center
byDragos, Inc.
 
New Paradigms for the Next Era of Security
bySounil Yu
 
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
Bulding Soc In Changing Threat Landscapefinal
byMahmoud Yassin
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
Cyber Defense Matrix: Reloaded
bySounil Yu
 
7 Steps to Build a SOC with Limited Resources
byLogRhythm
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 

Similar to Balbix-New-CISO-Board-Deck.pptx

PPTX
How to present information security risks to Board)
byEduardoCostaVianna
 
PPTX
The Gathering Storm
byInnoTech
 
PDF
Wisegate_GeekSpeak_LG
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
PDF
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
PDF
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
PDF
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
PPTX
Bob West - Educating the Board of Directors
bycentralohioissa
 
PPTX
Internal Audit’s Role In Cybersecurity Guide.pptx
byheba938718
 
PDF
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
PPTX
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
byFERMA
 
DOCX
Chapter 1The International Information Systems Security Certifi.docx
bycravennichole326
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PPTX
Selling security to the C-level
byDonald Tabone
 
PPTX
Cybersecurity Risk Governance
byDan Michaluk
 
PDF
Cybersecurity in the Boardroom
byMarko Suswanto
 
PDF
MT 70 The New Era of Incident Response Planning
byDell EMC World
 
PDF
2023 ITM Short Course - Week 1.pdf
byDorcusSitali
 
PDF
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
PDF
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
PPTX
defensible_security-executive_support-sample.pptx
bymargueritemcleod1
 
How to present information security risks to Board)
byEduardoCostaVianna
 
The Gathering Storm
byInnoTech
 
Wisegate_GeekSpeak_LG
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
Bob West - Educating the Board of Directors
bycentralohioissa
 
Internal Audit’s Role In Cybersecurity Guide.pptx
byheba938718
 
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
byFERMA
 
Chapter 1The International Information Systems Security Certifi.docx
bycravennichole326
 
Information Security and Risk Management.pptx
byprembasnet12
 
Selling security to the C-level
byDonald Tabone
 
Cybersecurity Risk Governance
byDan Michaluk
 
Cybersecurity in the Boardroom
byMarko Suswanto
 
MT 70 The New Era of Incident Response Planning
byDell EMC World
 
2023 ITM Short Course - Week 1.pdf
byDorcusSitali
 
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
defensible_security-executive_support-sample.pptx
bymargueritemcleod1
 

Recently uploaded

PPTX
PPTS HEALTHCARE.pptx NON-COMMUNICABLE DISEASES
bysohilnaik18
 
PPTX
The autoclave is also called a steam sterilizer that is commonly used in heal...
byJibina Babu
 
PPTX
Spectral CT Imaging: Principle and Applications of Dual-Energy and Photon Cou...
byJoginder Singh
 
PPTX
Apamarga.pptx - Achyranthus aspera pptx.
byBansariPatel112358
 
PDF
Visit Rangeela Spa Ajman — Most Trusted Spa in Ajman
byRangeela Spa Ajman
 
PDF
Hospital and Hospice Integration: A Formula for Quality and Efficiency
byVITASAuthor
 
PPTX
Geriatric Health in Nepal: Aging Process, Health Problems, and Care Services
byashutoshsah28
 
PPTX
Ophthalmic lens power and form presentation
byMilan Gupta
 
PDF
Importance of Safe Drinking Water in Commercial and Public Places
byconwaywaterseo
 
PDF
Final NABH Checklist 6TH ED JULY 2025 - Dr J L Meena.pdf
byDr Jitu Lal Meena
 
PPTX
Corneal Topography: Principles, Techniques, Patterns, and Clinical Applications
byMilan Gupta
 
PPTX
GMP_Summary_Presentation_Dr_SSD_19-01-2026.pptx
byDR SHAKEEB SIRAJ DHORAJIWALA
 
PPTX
Role of Ginger as a nutraceutical against (CINV).pptx
bysawairaaslam74822
 
PDF
ENJOYING LOW CARB DIETS FOR WEIGHT LOSS/
byLahcen Idar
 
PPTX
Healthcare SEO Audit & Growth Strategy for Apollo Hospitals
byRAHUL KACHHAL
 
PPTX
Early History and Evolution of Contact Lenses
byMilan Gupta
 
PDF
atharvyogshala.com-Deoria Taal Uttarakhands Magical Lake.pdf
byAtharv Yogshala
 
PDF
Module 1 INTRODUCTION TO COUNSELING .pdf
byperocho320
 
PPTX
Prism and Its Uses in Ophthalmic Dispensing
byMilan Gupta
 
PPT
children rights.ppt children rights child health nursing
byPooja Rani
 
PPTS HEALTHCARE.pptx NON-COMMUNICABLE DISEASES
bysohilnaik18
 
The autoclave is also called a steam sterilizer that is commonly used in heal...
byJibina Babu
 
Spectral CT Imaging: Principle and Applications of Dual-Energy and Photon Cou...
byJoginder Singh
 
Apamarga.pptx - Achyranthus aspera pptx.
byBansariPatel112358
 
Visit Rangeela Spa Ajman — Most Trusted Spa in Ajman
byRangeela Spa Ajman
 
Hospital and Hospice Integration: A Formula for Quality and Efficiency
byVITASAuthor
 
Geriatric Health in Nepal: Aging Process, Health Problems, and Care Services
byashutoshsah28
 
Ophthalmic lens power and form presentation
byMilan Gupta
 
Importance of Safe Drinking Water in Commercial and Public Places
byconwaywaterseo
 
Final NABH Checklist 6TH ED JULY 2025 - Dr J L Meena.pdf
byDr Jitu Lal Meena
 
Corneal Topography: Principles, Techniques, Patterns, and Clinical Applications
byMilan Gupta
 
GMP_Summary_Presentation_Dr_SSD_19-01-2026.pptx
byDR SHAKEEB SIRAJ DHORAJIWALA
 
Role of Ginger as a nutraceutical against (CINV).pptx
bysawairaaslam74822
 
ENJOYING LOW CARB DIETS FOR WEIGHT LOSS/
byLahcen Idar
 
Healthcare SEO Audit & Growth Strategy for Apollo Hospitals
byRAHUL KACHHAL
 
Early History and Evolution of Contact Lenses
byMilan Gupta
 
atharvyogshala.com-Deoria Taal Uttarakhands Magical Lake.pdf
byAtharv Yogshala
 
Module 1 INTRODUCTION TO COUNSELING .pdf
byperocho320
 
Prism and Its Uses in Ophthalmic Dispensing
byMilan Gupta
 
children rights.ppt children rights child health nursing
byPooja Rani
 

Balbix-New-CISO-Board-Deck.pptx

  • 1.
    Template for NewCISO Presentation to Board Audit Committee or to the Board of Directors
  • 2.
    Using this PresentationTemplate This presentation template will help you organize your first presentation to the board of directors (or the board audit committee). If you have already presented to your board, you should use a different template for recurring CISO presentations which can be downloaded here. Directions  The core presentation is Slides 7-21. Other slides contain instructions and additional materials.  Customize these slides based on the unique context of your organization and industry.  Look out for the box to know which visualizations are modifiable.  Review the guidance in the notes section below each slide.  Use the slides in the appendix section as needed to augment the presentation. The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You can request a demo here or start your free trial. Editable delete this slide after use
  • 3.
    You are tellinga story… Remember you are communicating about a complex technical topic with people who typically do not have a deep technical background. Your goal with this presentation is to help the Board meet its fiduciary duties. In order to do so, you will need to quantify cyber risk in business terms and map these to your key operational projects and metrics. This 1st presentation will play a foundational role in setting you up properly with the Board. Ultimately what you say will need to inspire the board’s trust and confidence in you and provide assurance that your function is effectively managing information risk. Your best bet is to tell a compelling and simple story. It is more important to be interesting than to be complete! delete this slide after use
  • 4.
    What your boardcares about… delete this slide after use 3 things Revenue Cost Risk Revenue growth and non-revenue objectives Current and future expense Compliance, threats to future revenue and brand reputation
  • 5.
    Objectives of this1st Presentation  Introduce yourself to the Board  Also re-introduce the Infosec function to the Board  Explain how cybersecurity risks present board-level business risks  Set up a framework for future discussions with the Board  Introduce your strategic vision and roadmap for the Infosec function of your organization delete this slide after use
  • 6.
    Decide How YouWant Them to Feel Research shows that human beings, including board members, make most decisions emotionally, and then find data to back up what they already decided. CISOs often tend to lead with lots of detailed technical security data, and as a result, they risk being unconvincing. You must decide how they want the board to feel as a result of your presentation, and then select the data to back up the emotional arc of the story. Consider: • Are you presenting good or bad news? Do you want the board to feel happy about the progress Infosec is making? Or is this bad news because you don’t have funding for everything that absolutely needs to be done? • How happy do you want them to feel? Excited because cybersecurity posture is indeed better? Mildly concerned that some risks are manifesting but you have them under control? Or deeply concerned because there are “someone might go to jail-level” security holes? delete this slide after use
  • 7.
    Don’t forget thedata While it is important to lead with emotion and tell a story, it is very important to follow with data! Many CISOs cannot quantify and equate cyber risk in dollars and cents of expected loss. Remember the common currency that everyone understands is money. If you speak in relative terms, like high, medium or low risk your board member has no real idea if your definition of “medium” is ”an acceptable level of risk”. When you quantify in money terms, e.g., ransomware is a $50M risk item, this becomes easy. delete this slide after use
  • 8.
    This presentation templateis divided into three sections designed to earn the Board’s trust and to provide a foundation for future CISO presentations to the board. delete this slide after use Introducing Cyber Risk & Infosec Framework Infosec Strategic Roadmap & Metrics Infosec as a Board-Level Topic Explain how you think about Infosec as a board-level topic. Make a compelling case that cybersecurity and compliance risks pose a critical business risk, and your board presentations are designed to help the Board understand these risks and provide oversight of risk management. Provide a general overview of how the organization manages information risk. Present the concept that managing risk is everyone’s job, not just the CISO’s. Introduce your Infosec framework to establish shared vocabulary and facilitate future discussions about cyber maturity, attacks/incidents, mitigation plans, and cyber risk quantification. Present Security’s current state against your security framework and lay out your vision and roadmap for improvement. Establish metrics and supporting data that you will present to track progress towards the annual or quarterly objectives agreed upon with the Board. OUTLINE OF YOUR PRESENTATION
  • 9.
    Cyber Risk Update for <CompanyX> Board of Directors Add Your Logo Here September 18, 2023
  • 10.
    ABOUT ME Elizabeth Chen-Reddy ChiefInformation Security Officer Liz.ChenReddy@company.com [insert photo] My Experience  XXX  YYY  ZZZ Education and Certifications  Degrees  Certifications
  • 11.
    Overview of CyberRisk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
  • 12.
    RECENT ATTACKS IMPACTINGCOMPANY X eCommerce Workforce Infrastructure & Supply Chain Brand Impersonation Website Defacement Exec Phishing Uptick IT Operations Insider Threat – Malaysia OT Supply Chain 90-95% Supply Chain
  • 13.
    EVERYTHING HAS CHANGED Inthe last 12 months, there has been an exponential increase in the speed and intensity of attacks, especially targeting the infrastructure and manufacturing segment. Cyber Risk 2019 2020 2021 $50M $25M 2019 Mean Time of Arrival of New Exploitable Vulnerabilities 2020 2021 30 days 60 days Editable
  • 14.
    Strategic Risk OperationalRisk Financial Risk Reputational Risk Cyber Breach Risk Compliance Risk A theft of IP leads to bad press and long term value loss A ransomware attack leads to downtime and loss of revenue A compliance violation leads to a big fine and bad press Loss of customer data results in bad press and harms customer trust. INFOSEC MANAGES BUSINESS-LEVEL RISK
  • 15.
    5 Principles ofEffective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors 1 2 3 4 5 Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue Boards should understand the legal implications of cyber risk as they apply to the company’s specific circumstances Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework Board-management discussion about cyber risk should include identification of which risks to avoid, accept, and mitigate or transfer through insurance, as well as specific plans Source: National Association of Corporate Directors, Cyber-Risk Oversight Handbook, 2020 THE BOARD’S ROLE IN CYBER RISK OVERSIGHT
  • 16.
    Overview of CyberRisk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
  • 17.
    THREE LAYERS OFINFORMATION RISK MANAGEMENT Internal Audit Information Security Legal Privacy Compliance HR Layer 1. Risk Owners – in IT or in the Business Units Layer 3. Internal Audit Internal Audit provides the final assurance that information risks are being managed within the organization’s risk appetite. Layer 2. Risk Management Responsibilities: • Mapping assets to risk owners • Identifying and quantifying known and emerging risks • Setting up and facilitating risk management workflows Responsibilities: • Owning and managing risks, e.g., patching software • Maintaining effective security controls • Making daily risk management decisions BU2 BU4 Site1 Site2 Site3 Site5 Site6 Site55 Site6 Asset Type 1 Asset Type 2 Asset Type n BU1 BU3 BUn Site1 BS1 BS2 BS3 Site Business Unit Business Segment Asset Type 1 Asset Type 2 Asset Type n Owner 1 Owner 2 Site21 Owner 3 Owner 4 Owner 6 Owner 5 Owner N Business Segment Business Unit Site
  • 18.
    OUR INFOSEC FUNCTIONIN DETAIL Manage Information Security Risk Risk Management Strategy Manage Data Classification Manage Employee Awareness & Training Manage Third-Party Risks Evaluate and oversee deployment of new security tools Respond to Regulatory Requirements Maintain Records Management and E- Discovery Manage Data Privacy Operate Security Controls Manage Incident Response Manage Vulnerabilities and other risk items Manage Security Architecture Monitor Systems and Events Manage Business Continuity and Disaster Recovery Plans Interact with CEO and Board Hiring and Training Measure Metrics and Performance Manage Information Security Vendors Manage Information Security Budget Drive Ownership And Accountability Manage Compliance and 3rd Party Risks CISO and Deputy CISO
  • 19.
    WE USE THENIST CYBERSECURITY FRAMEWORK  Understanding and communicating security status  Prioritizing infosec activities  Improving our cybersecurity program  Updating the Board on the organization’s cybersecurity posture  Understanding breaches in the news  Aligning regulatory requirements with broader risk management activities Uses of the NIST Cybersecurity Framework Risk Owners The Board CISO
  • 20.
    WE USE THENIST CYBERSECURITY FRAMEWORK What processes and assets need protection? Implement appropriate safeguards to ensure protection of the enterprise’s assets Implement appropriate mechanisms to identify the occurrence of cybersecurity incidents Develop techniques to contain the impacts of cybersecurity events Implement the appropriate processes to restore capabilities and services impaired due to cybersecurity events Description Identify Protect Detect Respond Recover Capability % Visibility, Breach Impact ($s) of Assets and Scenarios Risk in $s Mean-time-to-detect Max-time-to-respond Max-time-to-recover Metrics
  • 21.
    LEARNINGS FROM THECOLONIAL ATTACK Colonial Identify Protect Detect Respond Recover Capability Our Organization Attackers breached Colonial’s network through a compromised credential and were able to quickly penetrate deep due to a flat network. Colonial did not have an up to date inventory of their users and assets and they had big gaps in their vulnerability assessment program. Colonial’s detection capabilities were hampered by their lack of visibility into user activity and the connections between their IT and OT networks. Colonial did not have a good response plan for attacks to the IT network. They had to shut down their OT network as a precautionary measure. We still have some gaps in our cybersecurity visibility and vulnerability management program but have made good progress in recent months. In case of breach, we have a detailed plan to limit damage, contact the authorities and inform our customers. We have invested heavily in our monitoring capabilities. Our 24x7 SOC keeps a vigilant eye out for anomalies in traffic patterns. We continue to invest in protective controls. This year we are deploying MFA and EDR. We are reducing mean-time-to-patch below 30 days. 82% visibility Risk: $37M Detect Time: 50 min Response Time: 4 hours
  • 22.
    Overview of CyberRisk Management Infosec Strategic Roadmap and Performance Metrics AGENDA Infosec as a Board-Level Topic
  • 23.
    CYBERSECURITY POSTURE PROJECTS Initiatives Identify Protect Detect Respond Recover Capability Review& update business continuity plan every quarter Improve incidence response with automated playbooks Implement strong identity with adaptive authentication. Improve security hygiene and patching posture. Update email security. Implement continuous cybersecurity posture visibility. Build risk owner’s matrix and update quarterly. Incorporate threat feeds in SOC workflows. 2021 2022 Deploy Balbix Asset Criticality Analysis Build risk group hierarchy and assign risk owners Deploy Okta Deploy Proofpoint or similar tool Build Balbix workflows for non-patching risk items Improve Patching Posture using Balbix Integrate Recorded Future in SOC Integrate TBD SOAR platform in SOC Review & identify gaps in plan with risk owners Develop plan update to address gaps Implement & test plan Turn on Okta adaptive auth
  • 24.
    CYBERSECURITY KPIs: RISK,LIKELIHOOD & IMPACT $37M Risk 48% Likelihood $77M Impact There is a 48% chance that we will have an impact of $77M from a cybersecurity event this year. Editable Breach Risk Trend 0 20 40 60 80 Q4 '20 Q1 '21 Q2 '21 Q3 '21 $M
  • 25.
    RISK BY BUSINESSUNIT AND ATTACK TYPE Editable Risk Snapshot by Business Unit $12M $10M $17M $0M $5M $10M $15M $20M Power Tools Lighting Industrial Breach Likelihood by Attack Type 61% 47% 27% 22% 15% 12% 0% 20% 40% 60% 80% 100% Phishing Software Vulnerability Misconfiguration Supply Chain Compromised Credentials Insider Threat Breach Risk Trend $0M $5M $10M $15M $20M $25M Q4'20 Q1'21 Q2'21 Q3'21 Power Tools Lighting Industrial
  • 26.
    WE USE THISWIDGET TO PROVIDE A BIRD’S EYE VIEW OF CYBERSECURITY POSTURE The outer ring is everything “Internet Facing”. This is where attacks begin before burrowing into the core. The inner circle is the core, properly behind the corporate “firewall”. This is where most of our valuable information and critical systems are. Red means high likelihood of breach. Green and Orange is better.
  • 27.
    E.g., EFFECTIVENESS OFPROTECTIVE CONTROLS With Current Controls With Current Controls Controls Effectiveness Index 0 0.2 0.4 0.6 0.8 1 Q3 '19 Q4 '19 Q1 '20 Q2 '20 Controls Effectiveness Index 0 0.2 0.4 0.6 0.8 1 Q3 '19 Q4 '19 Q1 '20 Q2 '20
  • 28.
    CYBERSECURITY KPIs: MEAN-TIME-TO-RESOLVE continuous monitoring evaluateand dispatch contain Automate Minimize exposure and Risk by remediating vulnerabilities and risk items at high velocity Indicators of vulnerabilities, attack or compromise
  • 29.
    STRATEGIC INITIATIVE: AUTOMATION Automatingidentification, evaluation and resolution of cyber-risk time Mean Time To Resolve (MTTR) Emergence of Risk, e.g., newly discovered vulnerability Resolution tD tR Industry avg. for MTD is 15 days, MTTR is 120+ days Our MTD is now <1hr, MTTR is 6 days tX Mean Discovery Time (MDT) Identification of vulnerable and risky assets Our exposure
  • 30.
    CYBERSECURITY POSTURE GOALS Q4‘20 Today Target for Q2’22 Breach Risk Change and Target State
  • 31.
  • 32.
  • 33.
    If you foundthese slides useful… Balbix can help you with many critical pieces of your Infosec program. The Balbix platform uses AI to help discover and analyze your assets and attack surface to Identify areas of greatest risk. This is foundational to effective capabilities for Protect , Detect , Respond and Recover . Balbix will automatically and rigorously quantify your cyber risk in $s. Balbix also enables you automate critical elements of your cybersecurity program and quantify changes in risk as you improve your cybersecurity posture. The next few slides has some additional delete this slide after use Start your free Balbix trial >>>
  • 34.
    CYBER RISK QUANTIFICATION deletethis slide after use You can learn more about how to rigorously estimate your cyber risk in money units by analyzing data from your various cybersecurity, IT and business tools. Download this eBook at https://www.balbix.com/resources/how-to- calculate-your-enterprises-breach-risk/
  • 35.
    IDENTIFY delete this slideafter use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • Incomplete or manual inventory • Incomplete and non- continuous vulnerability assessment • Continuous asset discovery and inventory • Continuous vulnerability assessment across 100+ attack vectors incl. people • Can quantify the impact of deployed mitigations on risk • Previous level capabilities • New vulnerabilities and risk items are automatically mapped to risk owners • Risk owners are notified about risk items that require action • Previous level capabilities • Risk is understood in units of currency • Different mitigation scenarios are simulated and compared Balbix can help your organization implement all capabilities that are needed for Adaptive Level Maturity for Identify.
  • 36.
    PROTECT delete this slideafter use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • Some basic protections in place such as anti-virus and Internet firewall • “Informed” or higher maturity level for Identify capabilities • EDR and VPN deployed, security awareness training • Continuous vulnerability management for the majority of organization’s assets • Previous level capabilities • Strong Identity • Continuous security & risk training of people • Partially segmented network • Previous level capabilities • Proactive management of vulnerabilities and risk items • Zones and Adaptive Trust • Periodic penetration testing of defenses Balbix can help your organization implement important Identify and Protect capabilities (underlined above) that are needed for increased maturity of Protect
  • 37.
    DETECT delete this slideafter use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • Security Operations Center (SOC) not implemented • “Informed” or higher maturity level for Identify capabilities • Basic SOC with partial monitoring coverage of security events from organization’s assets • Previous level capabilities • Advanced SOC with comprehensive monitoring and detect coverage of security events • Previous level capabilities • Proactive threat hunting capabilities • Prioritization of SOC activities based on Risk Balbix can help your organization implement important Identify and Detect capabilities (underlined above) that are needed for increased maturity of Detect
  • 38.
    RESPOND delete this slideafter use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • No formal Respond Plan • “Informed” or higher maturity level for Identify capabilities • Manual Respond Plan for critical organization assets • Previous level capabilities • Automated Respond Plan for all enterprise assets • Periodic review and update of Respond Plan • Previous level capabilities • Optimized Respond Plan for all enterprise assets Balbix’s Identify capabilities (underlined above) are foundational to implement increased maturity of your Respond Plan
  • 39.
    RECOVER delete this slideafter use Start your free Balbix trial >>> Maturity Level Partial Informed Repeatable Adaptive • “Partial” maturity level for Identify capabilities • No formal Recover Plan • “Informed” or higher maturity level for Identify capabilities • Manual Recover Plan for critical organization assets • Previous level capabilities • Automated Recover Plan for identified critical assets • Periodic review and update of Recover Plan • Previous level capabilities • Recover Plan optimized for timely restoration of assets and functions based on business criticality Balbix’s Identify capabilities (underlined above) are foundational to implement increased maturity of your Recover Plan
  • 40.
    CYBERSECURITY POSTURE AUTOMATION deletethis slide after use Automatic Asset Inventory Continuous Assessment of Vulnerabilities and Risk Issues Evaluation of Vulnerabilities and Risk Issues Dispatch to Risk Owners Periodic Review of Exceptions Some risk Issues are automatically accepted based on specific enterprise context Prioritized list of Vulnerabilities and Risk Items Owner Review Manual or Automated Fix/Mitigation Steps Assign to another owner Accept Risk for some issues and document reasons Automatic Validation Per-owner Prioritized list of Vulnerabilities and Risk Items Global Threat & Vulnerability Data Balbix sensors and other IT and Cybersecurity Data Sources Carrier X Carrier X Carrier X Dashboards & Reporting
  • 41.
    LEARN MORE ABOUTBALBIX In 30 minutes, we will show how Balbix can help you automate your cybersecurity posture. With Balbix, you will use AI, automation and gamification to discover, prioritize and mitigate your unseen vulnerabilities at high velocity. You will also be able to quantify your cyber risk in $-terms, traceable to operational metrics and asset attributes driving this risk. You will be presented with practical actions you can take to mitigate this risk. Request a Demo https://www.balbix.com/request-a-demo/ A single, comprehensive view of cybersecurity posture
  • 42.
    Good Luck! delete thisslide after use Start your free Balbix trial >>>

Editor's Notes

  • #7 Reference for the emotional decision making of humans: Thinking, Fast and Slow, Daniel Kahneman https://en.wikipedia.org/wiki/Thinking,_Fast_and_Slow The main thesis of this book is that of a dichotomy between two modes of thought: "System 1" is fast, instinctive and emotional; "System 2" is slower, more deliberative, and more logical. The book delineates rational and non-rational motivations/triggers associated with each type of thinking process, and how they complement each other, starting with Kahneman's own research on loss aversion. From framing choices to people's tendency to replace a difficult question with one which is easy to answer, the book summarizes several decades of research to suggest that people have too much confidence in human judgement. Daniel Kahneman was awarded the 2002 Nobel Prize in Economics for his research.
  • #8 Reference: Storytelling with Data: A Data Visualization Guide for Business Professionals 1st Edition by Cole Nussbaumer Knaflic    https://www.storytellingwithdata.com/books https://www.amazon.com/gp/product/1119002257
  • #10 Modify this slide to add your organization’s name and logo. The date field is auto-updating. If you are preparing your slides for a specific date, you may want to change that.
  • #14 This slide is useful when you want to highlight a shift or change in industry conditions and explain to the board why the cybersecurity measures that were “good enough” in the past are no longer cutting it. You can substitute your company’s values for risk in the figure on the right.
  • #15 Customize this slide with ‘bad outcomes’ that are specific to your organization. Use this slide to make the connection between information and compliance risk and Board-level business risks. It is very important that the Board understands that your presentations are centered around managing business risks that can harm the organization’s strategic objectives rather than around low-level technical details that do not merit Board-level concern.
  • #16 Note: This slide uses the National Association of Directors’ guidance because it is broadly applicable across industry. Chat with your CEO to understand if your Board follows a different set of guidelines, and then change this slide appropriately. Information Sources: National Association of Corporate Directors: https://www.nacdonline.org/cyber U.S. Securities and Exchange Commission: https://www.sec.gov/spotlight/cybersecurity.shtml
  • #18 The goal of this slide is to make is that the Board understands the Infosec team leads a broad cross-functional risk management effort. Cybersecurity is not simply “the Security team’s problem.” If you do not have a formal Internal Audit function at your organization, you should merge Layers 2 and 3 and change the title of this slide.
  • #19 Customize this slide to represent the full set of activities and sub-activities performed by your Infosec team, and the corresponding responsibilities.
  • #20 Use this slide to set up the security framework you will describe in the next few slides. Ensure that Board members understand that the security framework is not just how you implement Infosec at your organization but will also be used in future Board conversations to create consistency, promote understanding, and ensure sufficiently high-level discussions.
  • #21 Use this slide to teach the Board the NIST cybersecurity framework, or another framework if you use something else. Explain how unlike other approaches, your approach to the framework involves a hard metrics. These metrics help you a) quantify cyber risk in business language of $s (or some other currency) and b) map cyber risk to operational which guide better operational cybersecurity and risk management practices. It may be valuable to spend extra time here for Q&A to ensure full comprehension by the board members.
  • #22 Use this slide to show how your security framework (NIST) can be used to analyze breaches in the news. A common question Board members ask is, ‘Are we secure? Can this happen here?’ Your logical analysis of the situation, and how it fits in with the overall story you have been telling them will go a long way in earning the board’s trust. This might also be the time to highlight big gaps in your security program and ask for the financial support and mandate you need from the board to close the gap. Quantifying the level of risk in money units will get your point across to the board.
  • #24 Use this slide to provide an overview of your Infosec projects, and how they will serve to improve your cybersecurity posture. Your main objective is to provide assurance that you are effectively managing to your strategic roadmap and to answer questions about the goals. Be prepared to discuss any project you list on this slide.
  • #25 You should substitute your values for Breach Risk, Likelihood and Impact as appropriate. The trend chart can be updated by right-clicking and selecting “Edit Data in Excel”. It is critical that you use a consistent, data-driven and therefore defensible approach for constructing and populating your risk dashboard. These widgets can be also automatically generated by Balbix. Remember to lead with emotion when presenting these numbers. Most members of the board will take the cue from how you present this data interpret these numbers as good, neutral or bad. $37M of cyber risk may be completely acceptable or not depending on the size and risk appetite of your business. You must resist the urge to sugarcoat things and paint an overly optimistic (“all green”) picture of cybersecurity posture. Experienced board members will see right through this.
  • #26 You should substitute your business unit names and values. The two bar charts can be updated by right-clicking and selecting “Edit Data in Excel”. All three widgets can be automatically generated by Balbix by analyzing data from your IT, cybersecurity and business tools or from your cybersecurity data lake. This is the slide where the board gets to really understands the amount of risk you are carrying. Again $17M of risk in the “Industrial” business unit may be completely acceptable or not depending on your overall business situation. Make sure you provide appropriate commentary with the appropriate emotion to help the board interpret these numbers as what they mean to you. The Trend widget is the most important widget on this slide. Trends in general help you tell the story f your cybersecurity program. Board members like trends.
  • #28 Tell the board how this slide shows the value of your currently deployed controls. The picture on the left is what your organization would look like without the controls. The trend line shows progress in overall effectiveness of your controls. These types of data-driven visuals inspire your Board’s trust because they realize that your story is based on facts, and your decisions are based on data.
  • #29 Tell the board how ultimately the only thing that matters is speed of containment of risk. Your overall objective is to minimize the window of opportunity for attackers by deploying protective controls and maximally automating the mitigation of any vulnerability as it becomes known, But occasionally, an attack will slip through and your goal is to detect such situations as quickly as possible and then contain the situation. Investing in automation is key.
  • #31 This might be the slide that your board members remember the most. Things are getting greener and yellower, so that is good. This widget can be automatically generated by Balbix.
  • #36 Identify is the foundational layer in the NIST cybersecurity framework. You cannot protect what you don’t know about! The 1st Identify capability that your cybersecurity program needs is: automatic and comprehensive discovery of enterprise assets (devices, applications, services and users) across on-prem, cloud and 3rd parties. The 2nd piece is continuous assessment for vulnerabilities and risk items for all enterprise assets (including people) across 100+ attack vectors. The 3rd capability you need is mapping risks and vulnerabilities at the device-network level to business units and risk owners, and quantifying risk in money terms. Because of the size and complexity of the attack surface, “Identify” is not a human scale problem anymore. https://www.balbix.com/product-overview/why-balbix/ We built Balbix specifically to harness the power of advanced AI and provide these capabilities for you. You can request a demo (https://www.balbix.com/request-a-demo/) or start your free trial. (https://www.balbix.com/free-signup/).
  • #37 Your 1st line of Protect capabilities is: EDR, firewall and VPN Continuous vulnerability management Balbix implements continuous risk-based vulnerability management OR can integrate with your existing vulnerability tool. As you make progress in improved Protect capabilities, Balbix will automatically detect your new mitigations and compensating controls (such as EDR) and update your risk calculation to take into account these new capabilities. Balbix can also generate continuous dashboards and reports that tell each risk owner what open vulnerabilities, risk items and tasks that they need to worry about. Risk owners can be compared against each other and incentivized to be at the top of the cybersecurity leaderboard. This can go a long way in developing a culture of shared risk ownership and driving down risk.
  • #38 Balbix contains risk context for all your assets including software version configuration, open vulnerabilities, threats, exposure, compensating controls and asset criticality information. This information can be accessed by your SOC team and used to prioritize their analysis tasks.
  • #39 Balbix’s Identify capabilities are foundational to implement increased maturity of your Respond Plan.
  • #40 Balbix’s Identify capabilities are foundational to implement increased maturity of your Recover Plan.
  • #41 Here is a picture that shows how automated cybersecurity posture works. Starting from the left, we first build and maintain automatic asset inventory. We also perform continuous assessment of vulnerabilities, we can bring in the global threat information, and then based on the business and security context that we have in Balbix, we evaluate those vulnerabilities, we prioritize them, we suppress certain of them based on mitigations we might have, what things you may have decided to postpone. Then we automatically dispatch prioritized lists of vulnerabilities and risk items to the various risk owners. Until this point onwards, everything is automated. Every one of the owners get their own dashboards with their own set of prioritized issues, kind of like a mini-organization. Each issue has to be either remediated, mitigated or accepted. Owners can configure different groups of assets, e.g., auto-update assets, test-and-patch assets and do-not-patch assets, and each of these groups is handled differently from a automation perspective. Balbix is also continuously validating vulnerabilities and risk items. Metrics is automatically updated in the Balbix dashboard, and reports are automatically triggered for various stakeholders. Deployment of Balbix will enable you to drive mean-time-to-resolve down to hours or days from weeks and months.