3 ways to speak the board’s language around cyber risk

The days of a hopeless disconnect between security leaders and the board of directors have come to a close—at least for enterprises with a healthy risk posture. Digitally savvy or not, in today’s business environment, board directors largely recognize they need an understanding of how cybersecurity risk overlaps with enterprise risk and the board’s overarching governance responsibilities, and they at least need to be conversant in cyber risk and how it could impact the organization—financially, reputationally, legally, operationally, and otherwise. The more digital the business becomes, the more cybersecurity becomes an existential issue to address, impacting the competitiveness, continuity, reliability, and overall trust of the enterprise.

High-profile data breaches, ransomware attacks, and other existential crises brought on by cyberattacks in recent years have shattered the outdated notion that enterprise security is the IT team’s burden to bear, replaced by an acknowledgement that cybersecurity is a board-level issue. Yet, according to a 2017 ISACA survey on tech governance, 87% percent of C-suite professionals and board members say they lack confidence in their company’s cybersecurity capabilities. This indicates that while most enterprise boards have come to appreciate their responsibility when it comes to cyber risk, there remains a level of translation required to make cyber risk insights more digestible—and therefore more useful—for board directors.

Here are three tips for communicating cyber risk to the board.

Understand the board’s responsibility

Effective communication to the board regarding cyber risk requires CISOs to understand the board’s scope and its fiduciary responsibilities in the context of each business as well how technology enables the whole business ecosystem. When possible, security leaders are well-served to enlist the support of enterprise risk management professionals, who are often best equipped to explain to board directors the operational and strategic risks that flow from cyber risk.

Present data in a familiar format

It is useful to present risk quantification through dashboards, illustrating metrics like key performance indicators, key control indicators, and key risk indicators in categories such as data loss, data reliability, systems reliability, and fraud. This type of data enables boards to make informed decisions around considerations such as security budgets and the deployment of emerging technologies, drawing upon relevant data and in the context of organizational risk appetite.

As noted in a recent ISACA white paper on the topic, “Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritized using quantitative measurement that is in a familiar format for executives. The members of board committees are adept at managing financial measurements. The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk.”

Know your benchmarks

There is another important way to speak the board’s language around cyber risk: frame the discussion in terms of how the organization is faring relative to industry peers. This conversation should go beyond highlighting prominent stories in the news cycle of major hacks that might be impacting industry competitors, although those can certainly be useful in commanding the board’s attention. Specifically, there should be substantive conversations around how the maturity of the organization’s control measures compare to similar organizations and, if a deficit exists, what measures might be needed that could help to close the gap.

Fortunately, we have largely moved beyond the hurdle of needing to convince boards of the importance of overseeing enterprise cyber risk. Today, the challenges security and risk teams face center more on finding the right amount of detail to share with the board and presenting it in a way that board members find incisive and actionable. If security teams are finding it challenging to gain leadership’s buy-in or are not receiving the big-picture guidance that they need, it might be time to recalibrate how they are communicating cyber risk to the board.