Best Practices for Cybersecurity Training Programs for Boards of Directors

Cybersecurity Training 2

Navigating the rapidly evolving cyber threat landscape requires cybersecurity training at every level of an organization, including the board of directors.

No longer a purely technical concern, board members are expected to take an active role in developing, implementing and improving cybersecurity measures that will protect their organization and investors.

From strategic oversight and risk management to incident response and regulatory compliance, cybersecurity is a complex area that demands focused training tailored to the unique perspective and responsibilities of board members.

In this blog, we’ll take a look at several strategies for creating engaging and effective cybersecurity training for board members.

1. Illustrate Relevance to the Business Strategy

Understanding the complexities of cybersecurity can be difficult, especially for board members whose backgrounds are typically in sales, finance, leadership or other non-technical areas. Illustrating how cybersecurity relates to the organization’s business strategy provides context that clarifies the organization’s exposure to and the negative impact of cyber attacks. For example, pertinent topics include:

Disruptions in the supply chain
Interruption of services
Compromise of digital assets and information
Economic damages resulting from fraud, theft or ransom, incident response costs or revenue losses
Regulatory / compliance violations and penalties
Reputational damage leading to loss of consumer trust
Negative media attention leading to decreased investor confidence

Increased awareness of the relevance of cybersecurity will foster increased interest in cybersecurity training and increased appreciation for how cybersecurity programs are essential investments in long-term profitability and growth.

2. Understanding Business Operations, Legal and Regulatory Implications of a Breach

Cyber breaches have long been perceived as a technical concern—an issue with systems and data. It is crucial to educate board members on the non-technical aspects of a data breach.

According to a report by IBM and the Ponemon Institute, the average data breach cost for businesses with fewer than 500 employees is $2.98 million, and the average cost per breached record is $164. Moreover, the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years.

Cyber attacks can affect business operations directly and indirectly, immediately and indefinitely.

The most immediate impact is downtime that halts or reduces productivity, which leads to losses in revenue.
Attackers can also compromise integrated supply chain systems, which can affect any number of steps or processes downstream.
Lost data and damaged hardware can cause short- and long-term problems in production, processing and logistics systems.
The financial costs associated with recovering from a cyber attack can include IT services, technology upgrades, new system training and more.
Loss of data or confidential materials related to new products can also impact operations by delaying a product launch or revealing proprietary information.

The legal implications of a cyber breach can be equally as damaging and long-lasting.

An organization can face costly, potentially drawn-out lawsuits from customers, employees or business partners whose information is compromised.
Cyber attacks can leave a company unable to meet contractual obligations, which could lead to financial penalties and destroy business relationships.
Regulatory implications of a data breach begin with fines imposed by regulatory organizations set up to establish and administer rules governing the collection and handling of sensitive data.
Depending on the industry, a breach could be subject to federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) or the Children's Online Privacy Protection Act (COPPA).

An organization could also face state-level fines and criminal penalties if found to be non-compliant with data protection or mandatory reporting requirements.

Examples of such penalties include:

Equifax was fined $700 million by the FTC in 2019 for failing to take adequate measures to protect the personal information of approximately 147 million people.
Epic Games was fined $520 million by the FTC for violations involving COPPA.
CafePress was fined $500,000 by the FTC after scrutiny revealed they covered up a data breach and failed to maintain adequate cybersecurity and data protection practices.
Uber received $148 million in fines from the FTC for lack of compliance and failure to disclose breach activity.

3. Tailor the Training to the Board

Tailoring cybersecurity training for the board of directors is crucial to providing the understanding they need to effectively guide their organization through the cyber threat landscape.

Creating customized cybersecurity training requires attention to each board member’s education, experience and level of technical knowledge, in addition to their positions and priorities in the organization.

Steps toward tailored cybersecurity training include:

Conduct a Pre-Training Survey: Determine the baselines of your board members’ knowledge, discover their goals for the training and identify any misconceptions or misunderstandings that might require extra attention during the training.
Speak The Board’s Language: Align cybersecurity topics and discussions with strategic objectives and present information in contextually relevant formats—cases and incidents from your industry, threats framed in terms of potential financial, regulatory and reputational damage.
Create Clear Engaging Presentations: Introduce new or complex topics using dashboards, charts and infographics that provide at-a-glance viewing and facilitate rapid understanding; use familiar formats; focus on one subject at a time.

Learn more about Board of Directors cybersecurity training here.

4. Use Actual Incidents as Case Studies or Consider a Guided Tabletop Exercise

Case studies are a highly effective foundation for cybersecurity training as they provide an immersive learning experience. Using actual incidents adds contextual relevance and creates a sense of urgency—“If this could happen to them, it could happen to us!”

Program developers should select incidents that are relatively current, involve companies with similar interests or activities or that demonstrate a particular situation or circumstance (e.g., violation of a specific code or guideline). Once an incident is chosen, developers can create an incident summary, identify a training focus and list the desired takeaways.

Another highly effective training tool is a tabletop exercise or TTX—an opportunity for participants to work through a mock cybersecurity incident from threat identification through incident response. TTXs give board members a way to test their decision-making and review the results of those decisions in a realistic yet safe environment.

5. Don’t Overwhelm Attendees (Unless They Ask)

With varying levels of technical education and experience, board members can be intimidated by the prospect of a cybersecurity training program.

Whether you’re introducing cyber threat terminology, cyber attack statistics or incident case studies, always begin with a high-level overview that can be clearly illustrated and easily understood.

It is essential, however, to always have the data, statistics and other information to validate or support the points being made. Board members with technical backgrounds will appreciate the opportunity to “see the data” to expand their understanding.

6. Make Sessions Interactive

One of the best ways to increase engagement in cybersecurity training is to incorporate interactive elements that give board members an “in the trenches” perspective, transforming complex cybersecurity concepts from theoretical ideas to practical solutions that enhance their decision-making in incident response situations.

As noted above, tabletop exercises provide an excellent opportunity for board members to experience a cyber incident first-hand. Additionally, board members can be assigned to different roles, such as CISO, CEO, PR Manager or other members of the incident response team to understand their perspectives and responsibilities in an incident response scenario.

Additional opportunities for making cybersecurity training more interactive include creating review sessions where participants can share their questions and ideas about a given exercise or case study and general feedback sessions where participants can offer opinions for improving future programs.

7. Discuss Human Elements of Cybersecurity

It is crucial for board members to understand that while cybersecurity is a technical issue, a Verizon report revealed that almost two-thirds of all breaches involve a human component such as social engineering, stolen credentials, privilege misuse or simple errors, while the World Economic Forum puts that figure at 95% (Harvard Business Review).

Introducing the common ‘human errors,’ such as clicking on phishing links, using weak passwords or misconfiguration settings can help “humanize” cyber threats and illustrate the potentially extensive results of a single person’s actions.

This approach leads naturally to a discussion of the importance of building a culture of cybersecurity that balances technical security measures with education that reinforces awareness and makes safety a fundamental element of every role in the organization.

8. Develop BOD-Specific Reporting Dashboards and Metrics

Dashboards should provide a hyper-focused view of the metrics that affect strategic, financial and risk-related elements of the cybersecurity program. Reporting metrics should be discussed and selected for their relevance to the organization’s unique cyber threat profile.

Possible metrics to incorporate into the dashboard could include:

Risk profile (current and projected)
Incident statistics
Compliance and regulatory status
Incident costs
Budgetary (ROI) reports
Operational statistics
Training programs
Incident response team reports
Company-specific concerns that warrant ongoing attention

Utilizing visual design elements such as charts, graphs, heat maps, etc., helps make information more understandable and, as a result, more actionable.

9. Schedule Follow-Up Meetings

Cybersecurity training should never be static. It is an ongoing effort fueled by feedback and follow-up. Every training session should include a plan for providing feedback and a date to regroup and review the various elements of the organization’s cybersecurity posture: progress of new initiatives, confirmation of responsibilities, incident reviews, regulatory or compliance updates, training programs or discussion of external incidents.

Ongoing cyber resilience demands regular review and adaptation to the evolving cyber threat landscape.

Creating a due diligence checklist for the board members can serve as a review of the training program and a framework for continued identification of responsibilities, accountability, resources and timeframes for review.

Cybersecurity has become a significant strategic risk that demands a level of awareness and confidence that fuels proactivity and informed decision-making. ZeroDay Law offers cybersecurity training that helps executives and board members learn how to navigate the cyber threat landscape and protect their organization’s assets, clients and reputation. Interested in learning more? See our resources:

Why Choose ZeroDay Law?

Cybersecurity is more important than ever, and ZeroDay Law has the expertise to protect your organization. We’ll help you plan for and respond to cybersecurity incidents quickly and effectively, so you can get back to business as usual. Cybersecurity attacks, legal obligations and technical threats are growing in prevalence and are not slowing down. As a best practice, ensuring your business has an IR plan in place, that it meets your legal obligations, and that it is reviewed and revised periodically is critical.

Unlike other law firms, we’re experts in matters related to cybersecurity and privacy, with a unique focus on incident response planning. We have a proven track record of success in a range of incident types, including large data breaches.

Our team of experts will work with you to create a custom plan that fits your needs and helps you stay prepared for any potential incident. You'll have peace of mind knowing that your business is safe and secure, no matter what surprises are in store.