Having conversations around cyber risk that will resonate with the board of directors can enable CISOs to bridge the gap that exists between cyber risk policies and the business objectives of an enterprise.
As enterprises have embraced digital transformation, they also have witnessed the consequences of wrong execution or neglecting cybersecurity infrastructure. Hence, board members across enterprises agree that they need a thorough understanding of how cybersecurity risks can be resolved with good enterprise risk management. Furthermore, they have realized they should also be abreast of the cyber risks and how they can impact the enterprise, financially, legally, in terms of reputation , operationally, and otherwise. Though these factors indicate a promising leap for CISO role, the reality is very different.
According to a 2017 ISACA survey on tech governance, 87% of c-suite executives and board directors say that they are not confident in the cybersecurity capabilities of their enterprises. This implies that even though most enterprises are ready to take on their responsibilities regarding cybersecurity, there still remains a translation gap that needs to make cyber risk insights more accessible as well as useful for the board of directors.
Below are a few points that CISOs can follow to effectively communicate cyber risk to their board:
●Have a thorough understanding of the board’s responsibility
To effectively communicate to the board while addressing cyber risk issues, CISOs should understand the board’s fiduciary responsibilities in the context of the business operation. They should also have a thorough understanding on how technology enables the running of the entire business ecosystem. Also, the security leaders, whenever required, should reach out for support from enterprise risk management professionals as they are well-versed in explaining to board directors the operational as well as strategic risks that flow from cyber risks.
●Organize data in a familiar way
According to a recent ISACA whitepaper, “Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritized using a quantitative measurement that is in a familiar format for executives.” Thus, CISOs should organize and present risk quantification through dashboards. This will enable them to illustrate metrics such as key performance indicators, key risk indicators, and key control indicators in categories such as data reliability, system reliability, data loss and fraud. This type of data organization enables the board to make informed decisions around factors such as security budgets and the deployment of emerging technologies.
●Know the key indicators
Another approach to speak to the board’s language around cyber risk is by framing their conversation on how the enterprise is doing and progressing when compared with industry peers. The discussion should go beyond highlighting stories of enterprises that had a negative impact while commanding the board’s attention. Furthermore, CISOs should delve-in to compare the organization’s control measures while compared with similar ones; and if there are any vulnerabilities, what steps should be taken to address them.
Even though CISOs and security leaders do not have to constantly convince the board overseeing the enterprise cyber risk, they still struggle while explaining details that can enable the board to make incisive and actionable decisions. By following the above-mentioned points, CISOs can effectively communicate cyber risk, thereby increasing the board’s confidence on the cybersecurity capabilities of the enterprises.