Communicating cyber risks to the board
Tue 10 Jan 2017
Cybersecurity is quickly escalating up the priority lists of global businesses, as the likelihood of breaches and the severity of business impact increase. Company boards can not afford to underestimate the importance of taking due care to mitigate this risk. No longer a technical issue to be managed by the IT team alone, the impact has gone far beyond technical limits and requires full attention from top management.
The role of the CISO can be an effective channel to bridge this gap and voice cyber concerns to the board. A CISO has a direct line to the CEO and should have the right skills to be able to convey clear messages regarding the risks that are affecting the business. While simply said, it is not so easily achieved.
Know your audience
As a CISO you will need to adapt your messages to communicate effectively at board level. A basic technological knowledge is an obvious requirement, but your choice of language and terms should be familiar to business. Security technicalities will not enrich your message. On the contrary, they will create confusion and a lack of confidence in your strategy.
CISOs should aim to strike a balance between alarmism and over-confidence. Your message to the board should neither be a matter of provoking panic, nor of confidently saying that everything can be controlled – a ‘this will never happen to us’ approach. A clear and transparent picture of the risks, the security strategy, the projects in place to tackle these risks, and the funding required, should be sufficient to create the right sense of urgency.
A clear link to top management is critical for building your understanding of the business
At these top-level conversations, it is also important to emphasize the fact that this is not about plugging in new technologies, but rather about setting new processes and managing change to gain maturity. Maturity does not come in a matter of weeks – it takes time and effort.
It can therefore be valuable to demonstrate a framework or a standard against which you can measure your maturity and report it regularly to the board so that they can monitor how the company is progressing. However, the use of a standard such as ISO is something that depends on the particular context of the company.
It is also important to create a culture of cybersecurity at the board level in the same way as in the rest of the organization. It is futile to concentrate on building a culture among employees, without mirroring the practices across the top levels of management.
Know where your business is headed
A conversation is a two-way process and it is not just on the CISO to take lead in these interchanges. A clear link to top management is critical for building your understanding of the business, its objectives and the operational risks that can inform cyber policy, e.g. what information is managed by the business, what is the value of this information, where is this information stored, what channels are used, who are the stakeholders, etc.
An understanding of your company’s history, IT landscape, context, risk map and funding capacity, is crucial for helping to shape a cyber security strategy and choosing the right technologies requires a thorough assessment of these variables.
Know your strategy
Finally, it has to be understood at all levels that technology by itself does not solve security problems.
It is not just about hooking up new technology and waiting for the cyber risks to diminish; setting up these technologies requires establishing different processes and responsibilities. Operating new security technologies is a major challenge as it typically involves various teams with different profiles and skills, and most likely a range of different providers. Very clear procedures should be implemented to outline how to monitor operations, how to react in the case of an incident, and how to escalate and to whom.
Additionally, a further factor to bear in mind is change management. Any new technology will directly impact an organization and its people. Therefore, managing that change requires resources and time, as well as a concrete strategy to ensure smooth adoption.