By Steve Sanders
Most bank boards struggle with cybersecurity oversight because they don’t know what questions to ask, how to interpret the answers or whether their security measures are actually working.
Directors may approve cybersecurity budgets without understanding if those investments actually reduce risk, or they may review incident reports without grasping whether response times meet industry standards. They can describe their cybersecurity framework but often can’t explain what their institution does with the results. The challenge is compounded further when cybersecurity is presented as a jargon-filled IT issue rather than the business-critical risk it represents, creating a dangerous gap between regulatory expectations and board-level understanding that leaves institutions vulnerable not just to cyber threats but to regulatory scrutiny.
Whether you’re a director seeking to understand what your institution’s NIST CSF or ISO framework results actually mean for your risk profile or an executive preparing risk dashboards, security briefings and incident reports for your board, the ultimate risk assessment strategy is to provide practical approaches that close the cybersecurity literacy gap.
Board cybersecurity literacy doesn’t mean directors must become technical experts. But it does require structured questioning, clear reporting that translates technical risks into business impact, and honest assessment of organizational maturity.
The uncomfortable truth about board cybersecurity literacy
Here’s what I’ve observed after years of working with bank boards: Most of them generally don’t meet expectations when it comes to cybersecurity oversight. That’s not an indictment of their dedication or intelligence. It’s simply a recognition that cybersecurity has evolved faster than board education.
Many directors can tell you which framework their institution uses—whether it’s the NIST Cybersecurity Framework (CSF), ISO standards or something else. But when you dig deeper and ask what they’re actually doing with that framework, you often get blank stares. Completing an assessment means nothing if you can’t articulate what you learned from it and what you’re doing to improve. The critical question isn’t ‘Did we complete our assessment?’ It’s ‘What have we done with the results?
The framework transition challenge
The Aug. 31, 2025, sunset of the FFIEC Cybersecurity Assessment Tool forces smaller institutions to adopt more complex frameworks. The leap isn’t incremental…it’s substantial. But the transition is long overdue; many mature organizations should have already moved beyond the CAT’s simplified approach to adopt more comprehensive frameworks.
The CAT provided a simple rating system that scored your cybersecurity maturity from one to five across different domains like cyber risk management, controls and threat intelligence. The NIST CSF requires significantly more work: comprehensive risk assessments across five core functions, detailed control documentation and ongoing measurement of outcomes rather than simple numerical ratings. That makes it less user-friendly for small banks, but risk assessment should never be contingent on how easy it is to complete.
Community banks also face a severe shortage of qualified cybersecurity professionals. This isn’t just an inconvenience, it’s a fundamental challenge that boards must address strategically. Smaller organizations may need to spend money bringing in external expertise to complete assessments. That’s not a sign of weakness. It’s a recognition that resource constraints make professional oversight frameworks even more critical.
These knowledge gaps among bank boards are prominent. A director once told me their institution scored well on their cybersecurity assessment, but when I asked what specific improvements resulted from those findings, they couldn’t answer. That disconnect between completing an exercise and achieving real security maturity represents exactly what needs to be addressed to develop real cybersecurity preparedness.
Five essential board responsibilities
Directors don’t need to understand the technical details of firewalls or encryption. But they do need to fulfill five essential oversight responsibilities:
1. Understand your security posture
Board members should a k management to explain the cybersecurity framework in plain English, request summaries of the security posture—both strengths and weaknesses—and understand the top five security improvement priorities for the coming year with specific, measurable goals.
For executives preparing these briefings, present framework results as a narrative, not a checklist. Translate technical findings into business risks with a clear improvement roadmap. Your directors can’t provide effective oversight if they can’t understand what you’re telling them.
2. Ask the right questions
The questions directors ask matter more than whether they understand every technical answer. Focus on these: How do we compare to peer institutions? What is the business impact associate with our three highest-rated risks? How do we validate that our controls are actually working?
That last question is particularly important. Too many institutions assume that because they implemented a control, it must be working. Executives should come prepared with peer benchmarking data. Quantify risk in dollars and customer impact, not technical metrics. Include validation results, not just implementation status.
3. Set clear expectations
Directors need to define the institution’s acceptable risk tolerance for different types of threats, establish a reporting cadence and format that enables informed decisions and insist on explanations in business terms, not technical jargon. If you can’t understand what you’re being told, you can’t provide effective oversight.
Executives should ask the board to define their risk appetite explicitly. Propose a reporting rhythm that balances staying informed without overwhelming directors. Test materials on non-technical colleagues first.
4. Evaluate resource allocation
The board should review whether the cybersecurity budget matches the institution’s stated risk appetite. You can’t credibly tell regulators and customers that security is a priority while underinvesting in it. When spending doesn’t match stated priorities, it’s only a matter of time before that gap is exploited.
Executives should show budget trends and compare spending to peer institutions and industry benchmarks. Be transparent about skills gaps. If bringing in outside expertise for assessments, explain why that’s a strength. Present how security investment connects dollars spent to risks mitigated.
5. Assess true security maturity
Directors shouldn’t accept “we completed the assessment” as proof of security. Ask what management has done with the framework results to strengthen security. Most importantly, evaluate whether security is treated as a strategic advantage or just a compliance checkbox.
For executives, lead with outcomes, not activities. Show how framework findings drove specific improvements. Demonstrate measurable progress year over year. Make the strategic case for security as a competitive differentiator, not just regulatory obligation.
Putting it into practice
Consider developing a one-page dashboard that answers the questions boards really need to know: What are our top three risks? What are we doing about them? How do we compare to peers? This kind of clear, focused reporting enables both effective oversight and productive board conversations—without drowning directors in technical details or forcing executives to explain the same concepts repeatedly.
About the Author
Steve Sanders serves as CSI’s chief risk officer an d chief information security officer. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight.