<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=6226337&amp;fmt=gif">


Episode Notes

While the Board sets up broad policies and priorities for companies, there’s a whole cyber universe that Board members may not fully understand. Jerry Perullo draws on more than two decades of experience, including as CISO at Intercontinental Exchange/New York Stock Exchange (ICE/NYSE), and recently as interim CISO at Silicon Valley Bank, to explain his framework for presenting cybersecurity risks and solutions to the Board.

*Slides below are excerpted from Jerry’s standing room-only session at the FS-ISAC 2023 Americas Spring Summit.

Notes from Our Discussion with Jerry

(3:03) - CISOs as Board members
CISOs want a seat at the Board table and want to be part of the discussions. To do this, they need to be cross functional, with knowledge outside cybersecurity. 

(6:05) - Board Training
Doing board training (such as with the NACD) as early in your career as possible will help you understand how board directors think about risk holistically – an important tool for CISOs briefing boards. 

(7:53) - Addressing Cyber Risk Management and Regulations with the Board
Risk management isn’t new for Boards. It’s been critical for years and meant different things. Yet, cybersecurity isn’t on the list. On the other hand, regulators have requirements, which brings cybersecurity into Board discussions. Tactical intelligence sharing should be digestible and actionable by the Board.

(10:52) – TRIC – The Cybersecurity Framework for the Board
TRIC (Threats, Risks, Incidents, and Compliance) is a framework for presenting cybersecurity programs and progress to the Board. 

(11:26) – Understanding Threats
Briefing on threats is about setting the mission. Threats can be identified by understanding the organization’s risk appetite for focusing the cybersecurity program.


(13:46) - Risks are Standalone Vulnerabilities
Risks are very specific vulnerabilities. An organization may face thousands of them and there should be a constant discovery and identification process. CISOs should also identify which of these risks to take to the Board.


(15:45) – “Incidents” Defines When to Approach the Board  
The Incidents piece is about defining the severity levels and getting agreement with the Board. A lot of governance is focused on when the Board is alerted and when they should get involved. These should be included in the incident response plan.


(17:32) – Compliance Data 
Presenting data in the form of a Gantt chart can make it easier for the Board to understand the progress in cybersecurity and compliance.


(19:13) –Adding a narrative executive summary and an appendix to the presentation. 

(20:18) –Advice for CISOs who aspire to be on the Board and discusses the possibility of cybersecurity being deprioritized by the Board.   

Fight cyber threats with the intelligence and knowledge of the whole industry at your fingertips – Join the FS-ISAC community.

FinCyber Today

FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.

Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.

Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.

© 2024 FS-ISAC, Inc. All rights reserved.

Listen on

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More