well on their cybersecurity assessment, but when I asked what specific improvements resulted from those findings, they couldn’t answer. That disconnect between completing an exercise and achieving real security maturity represents exactly what needs to be addressed to develop real cybersecurity preparedness. FIVE ESSENTIAL BOARD RESPONSIBILITIES Directors don’t need to understand the technical details of firewalls or encryption. However, they do need to fulfill five essential oversight responsibilities: 1. UNDERSTAND YOUR SECURITY POSTURE Board members should ask management to explain the cybersecurity framework in plain language, request summaries of their security posture — including both strengths and weaknesses — and understand their top five security improvement priorities for the coming year, along with specific, measurable goals. For executives preparing these briefings, present framework results as a narrative, not a checklist. Translate technical findings into business risks with a clear improvement roadmap. Your directors can’t provide effective oversight if they don’t understand what you’re telling them. 2. ASK THE RIGHT QUESTIONS The questions directors ask matter more than whether they understand every technical answer. Focus on the following questions: How do we compare to peer institutions? What is the business impact associated with our three highest-rated risks? How do we validate that our controls are actually working? That last question is particularly important. Many institutions assume that because they have implemented a control, it must be working. Executives should be prepared with peer benchmarking data. Quantify risk in dollars and customer impact, not technical metrics. Include validation results, not just implementation status. 3. SET CLEAR EXPECTATIONS Directors need to define the institution’s acceptable risk tolerance for different types of threats, as well as establish a reporting cadence and format that enable informed decisions and require explanations in business terms, rather than technical jargon. If you can’t understand what you’re being told, you can’t provide effective oversight. Executives should request that the board define its risk appetite explicitly. Propose a reporting rhythm that strikes a balance between staying informed and not overwhelming directors. Test materials on non-technical colleagues first. 4. EVALUATE RESOURCE ALLOCATION The board should review whether the cybersecurity budget matches the institution’s stated risk appetite. You can’t credibly tell regulators and customers that security is a priority while underinvesting in it. When spending doesn’t match stated priorities, it’s only a matter of time before that gap is exploited. Executives should show budget trends and compare spending to peer institutions and industry benchmarks. Be transparent about skill gaps. If bringing in outside expertise for assessments, explain why that’s a strength. Present how security investment connects the dollars spent to the risks mitigated. 5. ASSESS TRUE SECURITY MATURITY Directors shouldn’t accept “we completed the assessment” as proof of security. Ask what management has done with the framework results to strengthen security. Most importantly, evaluate whether security is treated as a strategic advantage or just a compliance checkbox. For executives, lead with outcomes, not activities. Show how framework findings drove specific improvements. Demonstrate measurable progress year over year. Make the strategic case for security as a competitive differentiator, not just a regulatory obligation. PUTTING IT INTO PRACTICE Consider developing a one-page dashboard that answers the questions boards really need to know: What are our top three risks? What are we doing about them? How do we compare to peers? This kind of clear, focused reporting enables both effective oversight and productive board conversations — without overwhelming directors with technical details or requiring executives to explain the same concepts repeatedly. Steve Sanders serves as CSI‘s chief risk officer and chief information security officer. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight. 19 The Community Banker
RkJQdWJsaXNoZXIy MTg3NDExNQ==