The number one risk to any business is ineffective cyber security because of the catastrophic implications on their reputational and financial status. However, it has become apparent that being able to effectively communicate that risk to Boards and senior executives within an organisation is becoming increasingly difficult, leaving cyber security teams lost as to how to extrapolate the key messages in order to take action to eliminate risks and present these to the board in a consistent and effective way.
Senior executives can appear to be disinterested in, what they may consider, the minutiae of core metrics such as vulnerabilities and security gaps (like the number of systems not patched), but this is not because they are not concerned, it is more a fact that they have differing priorities and perspectives.
What are the Key Reasons Why Boards do not Engage with Cyber Risk?
Lack of technical understanding: This is not a slight on senior executives, but it is the reality that many will not have an understanding of cyber security risks, so if presented with metrics, they are often not able to grasp them.
The focus is on many business issues: The reality is the Board and senior execs are looking at the “big” picture. What impacts the business as a whole, what is the overall Board strategy for the business. They know that cyber security is critical, but they have to be made to understand how that impacts the overall business strategy.
Too much information: Boards can find cyber security can be very overwhelming for senior executives, therefore they can easily “switch off”. Remember they focus on the bigger picture, so providing detailed information on security gaps, risks and vulnerabilities will, frankly, make them disconnect.
Communication Strategies for Communicating Risk to Boards
There are some really key communication strategies that can support an evolution of cyber security professionals to clearly extrapolate the cyber risk messages in a way that Board executives will engage:
Understand your audience:
- Understand the priorities: Align any communication to the overall business strategy. Demonstrate the impact of cyber risk related to overall business risk and how that will affect business growth and goals.
- Ditch technical jargon: Eliminate any kind of cyber focused words and change them to business terms, translating cyber risk into impacts on brand reputation, revenue, customer loss, etc.
- Be concise: Use clear visuals and graphs for impact but in a way that is valuable so that the information is focused.
Direct Attention to Business Consequences
- Ensure the risk is quantified: It’s key you should translate any risks and vulnerabilities into operational issues, legal implications and financial impact.
- Present risk as a business-wide concern: Boards need to see that cyber security is not one department’s (IT!) issue. The impact of risk stretches across the whole organisation and employees are needed to contribute to a common focus on being cyber secure, so engaging the Board to encourage a cyber security focused culture is imperative.
- Be the problem solver: Yes, you need the Board to understand the cyber risks, but if you need tech investment you must present the solution and how that will contribute to a business that has robust cyber security, stringent regulatory compliance, highly efficient operations, thus improving brand trust.
Be Transparent, Be The Trusted Team.
- Regular communication is imperative: Often cyber security teams only engage with the Board when there is a crisis; don’t let that be the case. Foster a culture of regular communications with the board, articulating the current cyber security posture, the threat landscape and how the business has responded.
- Be open, be honest: We’re all guilty of downplaying situations – but don’t; transparency is key in cyber security. “Own” the vulnerabilities and potential gaps in your cyber security strategy and technology but refocus on the forward strategy and improvement plans with expected timescales and budgets needed.
- Blow your own trumpet: Cyber security professionals are the saviours! Make sure your board know it!! This builds trust in your teams and secures future cyber security investments and reinforces you as the experts within the organisation.
Communication Tools that are Effective
There are some key communication tools that you can use utilise in order to extrapolate these key messages on cyber risk:
- Executive Dashboards: Many of our clients request the creation of an exec dashboard when we start customising their continuous controls monitoring platform.
- Identify a champion: You may have a senior exec that actually has an interest in cyber security, so harness that to your advantage to help you bridge that gap between cyber security and business needs.
- Listening is key: You know your stuff, but understanding the Boards perspective is equally important. Listen to concerns from the board, answer questions and provide the clarity they need, always bringing it back to the business needs.
Three Primary Cyber Risk Areas for Boards You Should Address in Reporting
Cyber security risk is a daunting area for Boards. They know it’s there but do not necessarily understand the technical side and how that risk relates to the wider business strategy or operational concerns. So, there are 3 key areas that concern them regarding cyber risk:
- The Impact on the Business: What are the biggest threats to the business and the potential impact, how a cyber security incident would impede the overall organisational strategy?
- Include potential financial losses, legal implications and financial implications.
- Relate cyber risk to impacting overall business strategies.
- Cyber security effectiveness: Is enough being done to mitigate cyber risk. Are the controls effective in preventing cyber security incidents?
- Demonstrate the effectiveness of cyber security programmes.
- Present appropriate metrics to demonstrate the effectiveness of investments in reducing risk.
- Actionable Steps: The Board need to understand the actions needed to protect the organisation from any kind of cyber risk as well as a long-term plan.
- Include steps and the resources need to address the cyber risks including budgets and timescales.
- The long-term strategy to manage cyber risk – this should include staying ahead of evolving threats and managing the evolving landscape.
How to Create a Board Level Security Dashboard
Being concise and keeping it relatable to business strategy is key for reporting in a way that will engage the board. At QO we build exec dashboards that allow our clients to articulate to Boards precisely the cyber risk within their organisation and we focus on these key areas.
*example types of exec dashboards
The types of information you could provide to the Board include:
- KRI’s/KPI’s High level of your key security metrics
- External attack surface: Overview of how much risk your organisation is at
- Overview of assets: The Number one control of all frameworks is to understand your assets.
Focusing on key aspects and aligning to the narrative on business objectives will result in not overloading executives but providing the high-level information they need to ascertain the true security posture of the organisation.
Conclusion
To effectively engage senior executives and garner their support in fortifying the organisation’s cyber security posture, it is crucial to address key areas and convey technical details in a manner that aligns with business objectives:
- Assess Risk: Evaluate potential financial, operational and legal ramifications of cyber threats.
- Emphasise Value: Illustrate how investments in cyber security advance business objectives, such as bolstering customer trust, safeguarding sensitive data and ensuring regulatory adherence.
- Propose Actionable Plans: Offer concrete solutions with clear timelines and budgets, demonstrating a pro-active stance in risk management.
- Simplify Language: Steer clear of technical terminology and instead employ business-focused language that resonates with executives.
- Personalise Communication: Tailor your message to address executives’ specific priorities and concerns, ensuring relevance and engagement.