in business terms, rather than technical jargon. If you can’t understand what you’re being told, you can’t provide effective oversight. Executives should request that the board define its risk appetite explicitly. Propose a reporting rhythm that strikes a balance between staying informed and not overwhelming directors. Test materials on non-technical colleagues first. 4. Evaluate Resource Allocation The board should review whether the cybersecurity budget matches the institution’s stated risk appetite. You can’t credibly tell regulators and customers that security is a priority while underinvesting in it. When spending doesn’t match stated priorities, it’s only a matter of time before that gap is exploited. Executives should show budget trends and compare spending to peer institutions and industry benchmarks. Be transparent about skill gaps. If bringing in outside expertise for assessments, explain why that’s a strength. Present how security investment connects the dollars spent to the risks mitigated. 5. Assess True Security Maturity Directors shouldn’t accept “we completed the assessment” as proof of security. Ask what management has done with the framework results to strengthen security. Most importantly, evaluate whether security is treated as a strategic advantage or just a compliance checkbox. For executives, lead with outcomes, not activities. Show how framework findings drove specific improvements. Demonstrate measurable progress year over year. Make the strategic case for security as a competitive differentiator, not just a regulatory obligation. PUTTING IT INTO PRACTICE Consider developing a one-page dashboard that answers the questions boards really need to know: What are our top three risks? What are we doing about them? How do we compare to peers? This kind of clear, focused reporting enables both effective oversight and productive board conversations — without overwhelming directors with technical details or requiring executives to explain the same concepts repeatedly. Steve Sanders serves as CSI‘s chief risk officer and chief information security officer. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight. Completing an assessment means nothing if you can’t articulate what you learned from it and what you’re doing to improve. The critical question isn’t “Did we complete our assessment?” Instead, it’s “What have we done with the results?” Stay up to date from your couch, office or even the moon! TAKE US ANYWHERE! Place a 1” x 1” QR Code White on Black Here to the main website Scan to read the most recent publication. 13 WEST VIRGINIA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==