Communicating Cybersecurity To Boards And Executives: 3 Key Tips
Cyberattacks can cost an organisation its reputation, its customers and a great deal of money, making CEOs and board members more accountable. Yet, research shows that a high percentage of corporate boards are not actively involved in cybersecurity oversight. Nonetheless, Gartner estimates by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually.
Many CIOs and CISOs are faced with challenges when it comes to communicating the cybersecurity strategy to board members and making them aware of critical risks to the organisation. In today’s world where threats are constant, more risks means more budget needs. In order to justify the desired cybersecurity expense, you must clearly present the risks, the plan you will implement to protect the company’s assets, and the rationale behind the cost. Here are 3 strategic tips on how to present your organisation’s challenges to the board and get faster budget approval.
1. Map out your cybersecurity programme
Developing and maintaining a cybersecurity programme is a crucial process that needs to be repeated and updated over time. The programme allows you to link strategic business goals with security targets and identifying unique challenges and opportunities, that can then be communicated to the board. Your programme should provide a snapshot of the current cybersecurity state, address the core components of people, processes and technology and include a roadmap. The roadmap allows you to develop a much more detailed implementation plan that logs progress toward each strategic initiative and its associated tactical plan. Another crucial element that this programme must include is a detailed, independent gap analysis which brings us to our second strategic tip.
2. Get an independent view of your current cybersecurity state and present the facts.
Even if you do have a good security team in place, independently reviewing your systems on a regular basis helps you get an accurate picture of your risks are and how you benchmark against best-practice. If your organisation has a strict compliance mandate, chances are that your clients or regulatory bodies request regular proof of third-party audits. A third-party auditor can help you understand how your organisation’s security architecture compares with those of your peers, how it compares to industry standards and what your overall security maturity level is. Conducting a gap analysis is a great way of understanding which specific areas of security you need to focus on improving. The results of this gap analysis can be added onto your risk register, which are then tracked, quantified and actioned. A snapshot of the risk register can be presented to the board which greatly facilitates the budget discussion.
3. Speak their language
When communicating your cybersecurity programme to the board, it is important to translate technical, tactical details about cybersecurity into business terms: risks, opportunities and strategic implications. The most important implications and results that are presented to the board can be broken down into the following:
- Important cyber security trends, patterns and threat landscape
- Your company’s cyber risk appetite based on an independent gap analysis and a mitigation plan
- How cybersecurity can enable business functions across your enterprise
- Your current regulatory compliance level
- The cyber risk position of your suppliers, vendors, partners and customers
- The IT budget spend and how it compares to that of your peers
Keep the following guiding principles in mind when preparing board-level reports:
- Make sure the data is relevant to the organisation’s business context and can be understood by the audience.
- Be concise: Avoid providing too much information, and eliminate technical jargon. Leave the acronyms at the door.
- Less is more: Minimise text, and include graphics and visuals to convey your key points.
- Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.
- Welcome strategic discussion and dialogue between directors and senior management.
Clean and effective communication with board members and executives is vital to getting your cybersecurity agenda across. Supplying your board with the right information can ensure they can support your goals to protect against today’s often unpredictable security threats. At Smarttech247 we help our clients understand and quantify their cyber risk posture, and assess their cyber security maturity in a way that can be presented to the board and executive members. Reach out to our consultants today for more information.
Need more tips? Come to our Futuresec.ie conference on September 24th in Cork!