Professional Documents
Culture Documents
Directions
The core presentation is Slides 7-21. Other slides contain instructions and additional materials.
Customize these slides based on the unique context of your organization and industry.
Editable
Look out for the box to know which visualizations are modifiable.
Review the guidance in the notes section below each slide.
Use the slides in the appendix section as needed to augment the presentation.
The risk calculations and visualizations shown in this PowerPoint can be automated with Balbix. You
can request a demo here or start your free trial.
delete this slide after use
Your goal with this presentation is to help the Board meet its fiduciary duties. In order to do
so, you will need to quantify cyber risk in business terms and map these to your key
operational projects and metrics.
Ultimately what you say will need to inspire the board’s trust and confidence in you and
provide assurance that your function is effectively managing information risk.
Your best bet is to tell a compelling and simple story. It is more important to be interesting
than to be complete!
delete this slide after use
Consider:
• Are you presenting good or bad news? Do you want the board to feel happy about the progress
Infosec is making? Or is this bad news because you don’t have funding for everything that
absolutely needs to be done?
• How happy do you want them to feel? Excited because cybersecurity posture is indeed better?
Mildly concerned that some risks are manifesting but you have them under control? Or deeply
concerned because there are “someone might go to jail-level” security holes?
delete this slide after use
Many CISOs cannot quantify and equate cyber risk in dollars and cents of expected loss.
Remember the common currency that everyone understands is money. If you speak in relative
terms, like high, medium or low risk your board member has no real idea if your definition of
“medium” is ”an acceptable level of risk”. When you quantify in money terms, e.g., ransomware is
a $50M risk item, this becomes easy.
delete this slide after use
Summary of Last Update Overall State of the Risk Cyber Risk Performance
to Board Landscape/Notable Events Metrics
Summarize the previous Board update. Update the Board on the overall risk and Present metrics and supporting data that
Follow-up on on any incomplete threat landscape, including any notable demonstrate Infosec’s progress towards
conversations or action items. events or major shifts that they may the annual or quarterly objectives that
have heard about in the news. you presented earlier to the Board.
Use this section as an opportunity to If your metrics are off, it is best to be
highlight similar open risks in your transparent with your board as to why
organization and quantify these loss things are not going according to plan.
scenarios in money units. Propose or
discuss your mitigation plan/approach.
delete this slide after use
Don’t waste the valuable airtime you get with your board on discussing “how well the organization
is doing with compliance”. Your board should never get confused between compliance items and
cybersecurity issues. Statements like “we are fully compliant with SOC2 Type 2, but we have big
gaps in our cybersecurity posture” can be very confusing to board members.
Cyber Risk Update
for
<Company X> Board of Directors
June 30, 2022
$50M
60 days
30 days $25M
Editable
RECENT ATTACKS IMPACTING COMPANY X
eCommerce
Brand Impersonation Website Defacement
Workforce 90-95%
Infrastructure &
Supply Chain
IT Operations Supply Chain Supply Chain
LEARNINGS FROM THE COLONIAL ATTACK
Attackers breached Colonial’s network through a We continue to invest in protective controls. This
Protect compromised credential and were able to year we are deploying MFA and EDR. We are $37M
quickly penetrate deep due to a flat network. reducing mean-time-to-patch below 30 days.
Colonial’s detection capabilities were hampered by We have invested heavily in our monitoring
Detect their lack of visibility into user activity and the capabilities. Our 24x7 SOC keeps a vigilant eye
connections between their IT and OT networks. out for anomalies in traffic patterns.
Colonial did not have a good response plan for In case of breach, we have a detailed plan to limit
Respond attacks to the IT network. They had to shut down damage, contact the authorities and inform our
their OT network as a precautionary measure. customers.
Recover
Summary of Last Update to Board
90
80
70
$M 60
$37M 48% $77M 50
40
30
20
10
Risk Likelihood Impact 0
Q4 '20 Q1 '21 Q2 '21 Q3 '21
Risk Snapshot by Business Unit Breach Risk Trend Breach Likelihood by Attack Type
$25,000M
% % % % % % % % % 0%
0% 10 20 30 40 50 60 70 80 90 10
Industrial $17,000M
$20,000M 61% Phishing
Lighting $10,000M
$10,000M
27% Misconfiguration
Editable
RISK DETAIL HIGHLIGHT
3. We are working hard to mitigate this risk by rolling out better Top Projects
capabilities to identify, prioritize and mitigate vulnerabilities. For
phishing, we are rolling out better Email security. Some progress 1. Real-time Visibility
has been made as evident in recent risk reduction for the 2. Automated Vuln Mgmt.
3. Email Security
business unit: Lighting.
STRATEGIC INITIATIVE: AUTOMATION
Our exposure
Emergence of Risk,
e.g., newly discovered
vulnerability Resolution
tX tD tR time
Mean Discovery Mean Time To
Time (MDT) Resolve (MTTR)
PROGRESS IN CYBERSECURITY POSTURE
Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool
Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
PROGRESS IN CYBERSECURITY POSTURE
1. What is our threat 2. What is our cyber risk 3. What is our readiness
landscape in 2021 - how from attacks via our for ransomware
are we doing? vendors? scenarios?
Cyber Attacks are Significantly Up 25% likelihood of a significant 60% likelihood of ransomware
breach via a supply chain attack incident with expected loss $10M
Phishing attacks are up significantly Double down on visibility Invest in automation to detect and
Revisit and update supply chain mitigate critical risk issues quickly
New CVEs with exploits in the wild are
security standards and contracts Business risk-based security tools to
being disclosed at a faster rate
help identify top scenarios
APPENDIX SLIDES
INFOSEC MANAGES BUSINESS-LEVEL RISK
5 Principles of Effective Cyber Risk Oversight: Guidance by National Assoc. of Corporate Directors
Boards should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
1
Boards should understand the legal implications of cyber risk as they apply to the company’s specific
2 circumstances
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk
3 management should be given regular and adequate time on the board meeting agenda
Boards should set the expectation that management will establish an enterprise-wide cyber-risk management
4 framework
Board-management discussion about cyber risk should include identification of which risks to avoid,
5 accept, and mitigate or transfer through insurance, as well as specific plans
Business Segment
Business Unit
CISO and
Manage Information Security Risk Manage Compliance and 3rd Party Risks
Deputy CISO
Interact with CEO and Manage Incident Manage Security Respond to Regulatory Manage Data
Board Response Architecture Requirements Classification
Implement strong identity with Build Balbix workflows for Turn on Okta
non-patching risk items adaptive auth
adaptive authentication. Improve
Protect security hygiene and patching posture.
Deploy Okta
Deploy Proofpoint
Improve Patching
Update email security. Posture using Balbix or similar tool
Review & update business continuity Review & identify gaps Develop plan update Implement &
Recover plan every quarter in plan with risk owners to address gaps test plan
delete this slide after use
The Balbix platform uses AI to help discover and analyze your assets and attack
surface to Identify areas of greatest risk. This is foundational to effective
capabilities for Protect , Detect , Respond and Recover .
Balbix will automatically and rigorously quantify your cyber risk in $s.
Balbix also enables you automate critical elements of your cybersecurity program
and quantify changes in risk as you improve your cybersecurity posture. The next
few slides has some additional examples of this.
Start your free Balbix trial >>>
delete this slide after use
You can learn more about how to rigorously estimate your cyber risk
in money units by analyzing data from your various cybersecurity, IT
and business tools.
IDENTIFY
Maturity Level
• Incomplete or manual • Continuous asset discovery • Previous level capabilities • Previous level capabilities
inventory and inventory
• New vulnerabilities and risk • Risk is understood in units
• Incomplete and non- • Continuous vulnerability items are automatically of currency
continuous vulnerability assessment across 100+ mapped to risk owners
assessment attack vectors incl. people • Different mitigation
• Risk owners are notified scenarios are simulated
• Can quantify the impact of about risk items that require and compared
deployed mitigations on risk action
PROTECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Strong Identity • Proactive management of
• Some basic protections in • EDR and VPN deployed, vulnerabilities and risk
place such as anti-virus and security awareness training • Continuous security & risk items
Internet firewall training of people
• Continuous vulnerability • Zones and Adaptive Trust
management for the majority • Partially segmented
of organization’s assets network • Periodic penetration testing
of defenses
Balbix can help your organization implement important Identify and Protect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Protect
delete this slide after use
DETECT
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Advanced SOC with • Proactive threat hunting
• Security Operations Center • Basic SOC with partial comprehensive monitoring capabilities
(SOC) not implemented monitoring coverage of and detect coverage of
security events from security events • Prioritization of SOC
organization’s assets activities based on Risk
Balbix can help your organization implement important Identify and Detect
Start your free Balbix trial >>>
capabilities (underlined above) that are needed for increased maturity of Detect
delete this slide after use
RESPOND
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Respond Plan • Optimized Respond Plan
• No formal Respond Plan • Manual Respond Plan for for all enterprise assets for all enterprise assets
critical organization assets
• Periodic review and update
of Respond Plan
RECOVER
Maturity Level
• “Partial” maturity level for • “Informed” or higher maturity • Previous level capabilities • Previous level capabilities
Identify capabilities level for Identify capabilities
• Automated Recover Plan • Recover Plan optimized for
• No formal Recover Plan • Manual Recover Plan for for identified critical assets timely restoration of assets
critical organization assets and functions based on
• Periodic review and update business criticality
of Recover Plan
Assign to
Prioritized list of
another owner
Vulnerabilities
and Risk Items
Continuous Assessment Evaluation of
Automatic Asset Dispatch to
of Vulnerabilities and Vulnerabilities
Inventory Risk Owners
Risk Issues and Risk Issues
Periodic
Review of
Some risk Issues are Exceptions
Balbix sensors and other IT and automatically accepted
Cybersecurity Data Sources based on specific
enterprise context
LEARN MORE ABOUT BALBIX
In 30 minutes, we will show how Balbix
can help you automate your
cybersecurity posture.
Request a Demo
Good Luck!