Communicating Cybersecurity Effectively to the Board

Introduction

Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.

But situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.

In this piece, we talk about the best practices to effectively communicate cyber security to the board and management.

Be in your audience’s shoes: Talk in the language of the board and quantify cyber risks.

As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations use any quantitative risk evaluation tools at all while the other half said they still rely largely on the experience of their cyber experts or maturity assessments.
 

• In today’s “cyber everywhere” era, it’s more critical than ever to be able to accurately quantify cyber risks ahead of time.
• Security leaders should come with a plan for their existing cyber risks, and if a breach would occur, what would be the dollar value loss to the organization. And relate the impact of cyber attacks to the organization's value creation — business operations, reputation and loss exposure in terms of dollars — all of which effect the future of the organization.
• It’s important that security leaders communicate cyber risk in a language that the board and the rest of the C-suite can comprehend. Some are not savvy about the technical details of cyber security.
• Compare with peers’ your risk scores, cyber security posture, industry averages, etc. as boards and C-level executives want to stay ahead of the competition in terms of their readiness to face challenges.

Communicate the severity and losses of not having a robust cyber security program

According to the World Economic Forum's Global Risks Report, data fraud, data theft and cyber attacks are among the top five biggest risks world faces. That's because of the huge business impact of cyber attacks. For example, it cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations. Verizon paid $350 million less in its acquisition of Yahoo after the tech company suffered two cyber attacks.
 

• According to a recent Accenture report, the average cost of cyber crime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries.
• Use proper reports and facts while presenting to boards helps them to understand the financial risks associated if they get hacked.
• Present a plan to achieve the recommended level of cyber risk and provide quantifiable insights on improvement

Use simple language: Build trust and engage leadership.

Again, it’s very important to keep in mind to use simple language and avoid technical jargons as much as possible when presenting to the board or trying to make your point to any non-technical C-suite executive.
 

• Security leaders should engage in dialogue to build trust and engage leadership. They should use real world breach stories, including ones from their peers and the kinds of losses they faced. These are more relatable to the board and management than listening to technical dialogue, which they might not understand.
• It is helpful if security leaders can get support from their colleagues while communicating cyber security to the board. Make them understand the value of a “cyber everywhere” mentality.

Be prepared to face any kind of objections and questions.

When security leaders are preparing for a presentation to a board or C-suite executives, they must be ready to face all kinds of non-tech, and sometimes, technical questions.
 

• They should be ready with standard material, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the state of current cyber security and any loopholes their action plans can fill to create a robust cyber security environment. They should also have collaterals like case studies, use cases and risk quantification data, whenever possible.
• Prepare to defend and answer questions around cybersecurity investments.

In summary, it’s critical for CISOs and security leaders to communicate the value of cyber security effectively. If CISOs are unable to communicate and quantify their cyber security program, priority projects don’t get funded which leads to increased breach risk. Fortunately today, there are many tools on the market that significantly improve a CISOs’ ability to effectively and systematically report to the board.