Template for New CISO

Presentation to Board of
Directors
delete this slide after use

Using this Presentation Template

This presentation template will help you organize your first presentation to the board of directors. If
you have already presented to your board, you should use a different template for recurring CISO
presentations which can be downloaded here.

Directions
 The core presentation is Slides 7-29. Other slides contain instructions and additional materials.

 Customize these slides based on the unique context of your organization and industry.
 Look out for the Editable box to know which visualizations are modifiable.
 Review the guidance in the notes section below each slide.
 Use the slides in the appendix section as needed to augment the presentation.

The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You
can request a demo here or start your free trial.
delete this slide after use

You are telling a story…

Remember you are communicating about a complex topic with people who typically do not have a
deep technical background.

Your goal with all your board presentations is to help the Board meet its fiduciary duties. To do this,
you will need to inspire the board’s trust and confidence in you and provide assurance that your
function is effectively managing information risk. This 1st presentation will play a foundational role
in setting you up properly with the Board.

Your best bet is to tell a compelling and simple story. It is more important to be interesting than to
be complete!
delete this slide after use

What your board cares about…

Revenue
Revenue growth and non-revenue objectives

3 Cost
things Current and future expense

Risk
Compliance, threats to future revenue and
brand reputation
delete this slide after use

Objectives of this 1st Presentation

 Introduce yourself to the Board
 Also re-introduce the Infosec function to the Board
 Explain how cybersecurity risks present board-level business risks
 Set up a framework for future discussions with the Board
 Introduce your strategic vision and roadmap for the Infosec function of your
organization
delete this slide after use

OUTLINE OF YOUR PRESENTATION

This presentation template is divided into four sections designed to earn the Board’s trust and to provide a
foundation for future CISO presentations to the board.

Infosec is a Board- Overview of Cyber Introducing our Infosec Strategic

Level Topic Risk Management Infosec Framework Roadmap

Make a compelling case that
cybersecurity and compliance
risks pose a meaningful
business risk and your board
presentations are designed to
help the Board meet its
fiduciary duty to provide
oversight of risk management.
Provide a general overview of
how the organization manages
information risk.
Teach the Board a simple
security framework that
facilitates risk discussions rather
than technical discussions about
cybersecurity and compliance.
Present Security’s current
maturity levels against your
security framework and lay out
your vision and roadmap for
improvement.
<company name> Information Security
Update
11/8/21

Add Your Logo Here

ABOUT ME
My Experience
 XXX
 YYY
[insert photo]  ZZZ

Jane Smith Education and Certifications

 Degrees
Chief Information Security Officer  Certifications
Jane.Smith@company.com
 Infosec is a Board-Level Topic

Overview of Cyber Risk

AGENDA Management

Introducing our Infosec

Framework

Infosec Strategic Roadmap

 NOTABLE DATA BREACHES (2015 – PRESENT)

Twitter
JP
JP Morgan
Morgan Chase
Chase Ashley LinkedIn Friend Finder Verizon Facebook
Madison

Elastic Search

Bell
Sony Pictures Scottrade Ticketfly
Canada
OPM Zoom

Equifax First American

Experian Marriot MGM

Home Depot
Anthem

2015 2016 2017 2018 2019 2020

 THE REGULATORY LANDSCAPE IS GROWING RAPIDLY

The Basic
Consumer Bill of Cybersecurity Act
Federal Breach CCPA
Rights (2015)
Notification Law (2020)
(Upcoming)
HI SB418 NY S5642 (Upcoming)
Data Protection Act
(Upcoming) (Upcoming) GDPR
NIST Cybersecurity Student Digital (2019)
Privacy Act (2018)
Framework
MD SB 613 MA S-120 (1.1) (2018) (Upcoming)
Other Industry (Upcoming) (Upcoming) MLPS 2.0
CIS Critical Security Cybersecure Canada
Relevant Guidelines (2019)
Controls 7.1 California S.B. NIST Privacy (2019)
(20xx) Final Omnibus Rule
(2019) NV 220 framework
24 Update (2013)
(2019) (2020)
(2011) EU-US Privacy
Shield ISO/IEC 27001
PCI DSS 3.2.1 COBIT MS S.B. 2831 MA LD 946 HITECH Act (2013-Present)
FISMA (2016)
(2018) (2019) (2017) (2019) (2009) Fed
(2014)
State-Specific Breach PIPED
GLBA NRC standards LFPDPP
HITRUST CSF ISO/IEC 27001 Notification Laws COPPA Act
(1999) (2007-2009) (2010)
(2007 – Present) (2013) (2003 - Present) (2000) (2000)

Industry Specific US State Level US Federal Level International

 INFORMATION RISK IS BUSINESS RISK

Cyber Breach Risk Compliance Risk

Strategic Risk Operational Risk Financial Risk Reputational Risk

A ransomware attack Loss of customer

A theft of IP leads to A compliance
leads to downtime data results in bad
bad press and long violation leads to a
and loss of revenue press and harms
term value loss big fine and bad press
customer trust.
THE BOARD’S ROLE IN CYBER RISK OVERSIGHT

5 Principles of Effective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors

1
Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue

2 Boards should understand the legal implications of cyber risk as they apply to the company’s specific
circumstances

Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk
3 management should be given regular and adequate time on the board meeting agenda

Boards should set the expectation that management will establish an enterprise-wide cyber-risk management
4 framework

Board-management discussion about cyber risk should include identification of which risks to avoid,
5 accept, and mitigate or transfer through insurance, as well as specific plans

Source: National Association of Corporate Directors, Cyber-Risk Oversight Handbook, 2020

 Infosec is a Board-Level Topic

Overview of Cyber Risk

AGENDA Management

Introducing our Infosec

Framework

Infosec Strategic Roadmap

 THREE LAYERS OF INFORMATION RISK MANAGEMENT
Layer 3. Internal Audit

Internal Audit provides the ultimate assurance that information

Internal Audit
risks are being appropriately managed.

Layer 2. Risk Management

Legal HR
Responsibilities:
• Mapping assets to risk owners Information
• Identifying known and emerging risks Security Compliance Privacy
• Facilitating risk management workflows

BS1 BS2 BS3 Business Segment

BU1 BU2 BU3 BU4 BUn Business Unit

Layer 1. Risk Owners – in IT or in the Business Units

Owner 3 Owner 5
Responsibilities:
Site1 Site2 Site3 Site1 Site5 Site6 Site55 Site21 Site6 Site
• Owning and managing risks
• Maintaining effective controls
• Making risk management tradeoff daily decisions Owner 1 Owner 2 Owner 4 Owner 6 Owner N
Asset Type 1 Asset Type 2 Asset Type n Asset Type 1 Asset Type 2 Asset Type n
OUR INFOSEC FUNCTION IN DETAIL

Engage Assess and Manage Information Regulatory Manage Infosec

Stakeholders Security Risk Compliance Function

Interact with CEO and Manage Incident Manage Security Respond to Regulatory Risk Management
Board Response Architecture Requirements Strategy

Structure Cross- Maintain Records

Monitor Systems and Manage Vulnerabilities Manage Data
Functional Risk Management and E-
Events and other risk items Classification
Relationships Discovery

Drive Ownership And Manage Third-Party Manage Employee Manage Information

Manage Data Privacy
Accountability Risks Awareness & Training Security Budget

Evaluate and oversee

Operate Security
deployment of new Hiring and Training
Controls
security tools

Manage Business Continuity Measure Performance

and Disaster Recovery Plans

Manage Information
Security Vendors
 Infosec is a Board-Level Topic

Overview of Cyber Risk

AGENDA Management

Introducing our Infosec

Framework

Infosec Strategic Roadmap

 WE USE THE NIST CYBERSECURITY FRAMEWORK

Uses of the NIST Cybersecurity Framework

 Understanding and communicating security status CISO The Board

 Prioritizing infosec activities
 Improving our cybersecurity program
 Updating the Board on the organization’s
cybersecurity posture
 Understanding breaches in the news
 Aligning regulatory requirements with broader risk
management activities

Risk Owners
 WE USE THE NIST CYBERSECURITY FRAMEWORK

Capability Description

Identify What processes and assets need protection?

Implement appropriate safeguards to ensure protection of the

Protect enterprise’s assets

Implement appropriate mechanisms to identify the occurrence of

Detect cybersecurity incidents

Respond Develop techniques to contain the impacts of cybersecurity events

Implement the appropriate processes to restore capabilities and

Recover services impaired due to cybersecurity events
 THE EQUIFAX BREACH IN CONTEXT
Capability Equifax
Equifax did not have an up to date inventory of all
Identify enterprise assets and they had gaps in their
periodic vulnerability assessment program.
Attackers breached Equifax’s network through a
Protect known vulnerability that was not patched and were
able to penetrate deeper due to a flat network.
Equifax’s detection capabilities were hampered by
Detect their lack of visibility into the use of expired and
self-signed certificates in their network.
Equifax waited a full month before announcing the
Respond breach, and when they did so it was using a web
domain that was not secure.
Recover
Our Organization
We still have some gaps in our cybersecurity
visibility and vulnerability management program
but have made good progress in recent months.
We continue to invest in protective controls. This
year we are deploying EDR and email security,
and reducing mean-time-to-patch below 30 days.
We have invested heavily in our monitoring
capabilities. Our 24x7 SOC keeps a vigilant eye
out for anomalies in traffic patterns.
In case of breach, we have a detailed plan to
contact the authorities and inform our
customers.
 CYBERSECURITY POSTURE MATURITY

Capability Maturity Level Peer Benchmark

Identify

Protect

Detect

Respond

Recover
Partial Informed Repeatable Adaptive
 CYBERSECURITY KPIs: RISK, LIKELIHOOD & IMPACT

Breach Risk Trend

40
35
30
$M 25
$17M 48% $35M 20
15
10
5
Risk Likelihood Impact 0
Q3 '19 Q4 '19 Q1 '20 Q2 '20

Editable There is a 48% chance that we will have an impact of $35M from a cybersecurity event this year.
 RISK BY BUSINESS AND ATTACK TYPE

Breach Likelihood by Business Unit Breach Risk by Business Unit – Q/Q Breach Likelihood by Attack Vector

Academic & 72% Academic & $7M

Professional Professional
$1M

Education 75% Education $8M

Services Services
$1.2M

Research 45% Research $2M

$0.9M

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% $0M $05M $10M

Editable
WE USE THIS WIDGET TO PROVIDE A BIRD’S EYE VIEW OF
CYBERSECURITY POSTURE

The outer ring is everything “Internet

Facing”. This is where attacks begin before
burrowing into the core.

The inner circle is the core, properly behind

the corporate “firewall”. This is where most
of our valuable information and critical
systems are.

Red means high likelihood of breach. Green and Orange is better.

E.g., EFFECTIVENESS OF PROTECTIVE CONTROLS

With Current Controls Controls Effectiveness Index

0.8

0.6

0.4

0.2

0
Q3 '19 Q4 '19 Q1 '20 Q2 '20
 CYBERSECURITY KPIs: MEAN-TIME-TO-RESOLVE

continuous
monitoring

Indicators of
vulnerabilities, attack
or compromise

Minimize exposure and Risk by

evaluate and
dispatch
Automate remediating vulnerabilities and risk
items at high velocity

contain
 Infosec is a Board-Level Topic

Overview of Cyber Risk

AGENDA Management

Introducing our Infosec

Framework

Infosec Strategic Roadmap

 CYBERSECURITY POSTURE PROJECTS
Capability Initiatives 2020 2021

Implement continuous cybersecurity

Identify posture visibility. Build risk owner’s Deploy Balbix
Asset Criticality
Analysis
Build risk group hierarchy
and assign risk owners
matrix and update quarterly.

Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool

Incorporate threat feeds in SOC Integrate Recorded

Detect workflows. Future in SOC

Integrate TBD SOAR

Improve incidence response with
Respond automated playbooks
platform in SOC

Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
CYBERSECURITY POSTURE GOALS

Breach Risk Change and Target State

Q4 ‘19 Today Target for Q4’20

Q&A
delete this slide after use

If you found these slides useful…

Balbix can help you with many critical pieces of your Infosec program.

The Balbix platform uses AI to help discover and analyze your assets and attack
surface to Identify areas of greatest risk. This is foundational to effective
capabilities for Protect , Detect , Respond and Recover .

Balbix also enables you automate critical elements of your cybersecurity

program and quantify changes in risk as you improve your cybersecurity posture.
The next few slides has some additional examples of this.

Start your free Balbix trial >>>

delete this slide after use

IDENTIFY

Maturity Level

• Incomplete or manual
inventory
• Incomplete and non-
continuous vulnerability
assessment
• Automatic asset discovery
and inventory
• Continuous vulnerability
assessment across 100+
attack vectors incl. people
• Can quantify the impact of
deployed mitigations on risk
• Previous level capabilities
• New vulnerabilities and risk
items are automatically
mapped to risk owners
• Risk owners are notified
about risk items that require
action
• Previous level capabilities
• Risk is understood in units
of currency
• Different mitigation
scenarios are simulated
and compared

Partial Informed Repeatable Adaptive

Balbix can help your organization implement all capabilities

Start your free Balbix trial >>>
that are needed for Adaptive Level Maturity for Identify.
delete this slide after use

PROTECT

Maturity Level

• “Partial” maturity level for
Identify capabilities
• Some basic protections in
place such as anti-virus and
Internet firewall
• “Informed” or higher maturity
level for Identify capabilities
• EDR and VPN deployed,
security awareness training
• Continuous vulnerability
management for the majority
of organization’s assets
• Previous level capabilities
• Strong Identity
• Continuous security & risk
training of people
• Partially segmented
network
• Previous level capabilities
• Automated management of
vulnerabilities and risk
items
• Zones and Adaptive Trust
• Periodic penetration testing
of defenses

Partial Informed Repeatable Adaptive

Balbix can help your organization implement important Identify and Protect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Protect
delete this slide after use

DETECT

Maturity Level

• “Partial” maturity level for
Identify capabilities
• Security Operations Center
(SOC) not implemented
• “Informed” or higher maturity
level for Identify capabilities
• Basic SOC with partial
monitoring coverage of
security events from
organization’s assets
• Previous level capabilities
• Advanced SOC with
comprehensive monitoring
and detect coverage of
security events
• Previous level capabilities
• Proactive threat hunting
capabilities
• Prioritization of SOC
activities based on Risk

Partial Informed Repeatable Adaptive

Balbix can help your organization implement important Identify and Detect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Detect
delete this slide after use

RESPOND

Maturity Level

• “Partial” maturity level for
Identify capabilities
• No formal Respond Plan
• “Informed” or higher maturity
level for Identify capabilities
• Manual Respond Plan for
critical organization assets
• Previous level capabilities
• Automated Respond Plan
for all enterprise assets
• Periodic review and update
of Respond Plan
• Previous level capabilities
• Optimized Respond Plan
for all enterprise assets

Partial Informed Repeatable Adaptive

Balbix’s Identify capabilities (underlined above) are foundational

Start your free Balbix trial >>>
to implement increased maturity of your Respond Plan
delete this slide after use

RECOVER

Maturity Level

• “Partial” maturity level for
Identify capabilities
• No formal Recover Plan
• “Informed” or higher maturity
level for Identify capabilities
• Manual Recover Plan for
critical organization assets
• Previous level capabilities
• Automated Recover Plan
for identified critical assets
• Periodic review and update
of Recover Plan
• Previous level capabilities
• Recover Plan optimized for
timely restoration of assets
and functions based on
business criticality

Partial Informed Repeatable Adaptive

Balbix’s Identify capabilities (underlined above) are foundational

Start your free Balbix trial >>>
to implement increased maturity of your Recover Plan
delete this slide after use

CYBERSECURITY POSTURE AUTOMATION

Carrier X Carrier X Carrier X

Owner Manual or Automated Automatic

Review Fix/Mitigation Steps Validation
Per-owner Prioritized
Global Threat & Dashboards & Reporting list of Vulnerabilities
Vulnerability Data and Risk Items
Accept Risk for some issues
and document reasons

Assign to
Prioritized list of
another owner
Vulnerabilities
and Risk Items
Continuous Assessment Evaluation of
Automatic Asset Dispatch to
of Vulnerabilities and Vulnerabilities
Inventory Risk Owners
Risk Issues and Risk Issues

Periodic
Review of
Some risk Issues are Exceptions
Balbix sensors and other IT and automatically accepted
Cybersecurity Data Sources based on specific
enterprise context
LEARN MORE ABOUT BALBIX

In 30 minutes, we will show how

Balbix can help you automate your
cybersecurity posture.

With Balbix, you will use AI,

automation and gamification to
discover, prioritize and mitigate
your unseen vulnerabilities at high
velocity.

Request a Demo

A single, comprehensive view of cybersecurity posture

https://www.balbix.com/request-a-demo/
delete this slide after use

Good Luck!

Start your free Balbix trial >>>