News

How to Communicate Cybersecurity More Effectively to The Board

Steve Durbin, ISF CEO
Published 20 - November - 2024
Read the full article on Forbes
forbesgovernancepeople

Board members are having a tough time understanding cyber risks despite knowing that security incidents may pose serious risks to operations. There’s also a looming CISO-board disconnect that is hindering cybersecurity progress.

In short, boards must go beyond acknowledging the importance of cybersecurity; they should actively engage in risk management conversations, evaluate plans to manage looming threats and take actions that lead to resilience and security oversight.

So, how can security leaders overcome these obstacles and enable the board to make informed security decisions? Here are some important points worth noting:

1. Explain in risk terms.

When reporting, explaining or requesting anything to do with cyber risk, it’s best to speak in financial, economic and operational terms. Boards may not understand cybersecurity completely, but they certainly understand risk.

Remember, a cyberattack is not a board issue because it’s expensive; it’s a board issue because a cyberattack will cause business disruption, draw unwelcomed headlines and board criticism, undermine customer trust and threaten the brand and future direction.

2. Set realistic expectations.

In cybersecurity, there will always be things we cannot control. We must remember to set realistic expectations. We cannot stop an earthquake from happening, but we can make sure our hardware isn’t located on the San Andreas fault. Similarly, we can’t stop phishing, but we can train employees to identify social engineering ploys and be more vigilant and cautious.

3. Lead with assurance.

Like everyone else, security leaders need to prove their worth. What the board and C-suite really want to know is: Are we prepared for the future? Are information risk management methods being applied? Are they proven? Are they effective? Are they compliant? Say the worst happens. Can business leaders face their customers, partners, regulators and law enforcement? Can they honestly admit they’ve done everything reasonably expected?

4. Simplify things.

Simplification is about presenting information in a manner that best resonates with an audience and putting aside technobabble that may be confusing. For example, explain to the board that having a properly skilled security team will help find and fix vulnerabilities much faster, which will invariably reduce the number of developer hours spent on security.

In other words, if you focus more on things such as financial and economic impacts rather than on technical details, communication with the board should improve.

5. Focus on governance and compliance.

When speaking to the board, there will always be discussions around governance, oversight and compliance. For instance, in publicly listed companies, the SEC has proposed a number of recommendations for cybersecurity risk management and material disclosure.

In regulated industries such as critical infrastructure, healthcare and financial services, there are multiple cybersecurity mandates (HIPAA, CMMC, PCI-DSS, etc.) that businesses must adhere to or potentially face penalties. Emphasizing these issues can immediately win attention and resources from the board.

6. Discuss the tough questions.

Board members are counting on you to ask hard questions. For instance, when formulating a strategy for dealing with ransomware, one inevitable question (depending on the particular government policy) is whether the company should make a ransomware payment or not.

Similarly, cyber insurance is also a sensitive and debatable subject despite having a role in risk mitigation. However, from a cybersecurity perspective, it can be a distraction because, in reality, no safety net truly exists.

7. Eliminate fear, uncertainty and doubt.

To combat fear, uncertainty and doubt (FUD), it is important to ease any anxiety caused by unforeseen circumstances where control seems lost. Business leaders seek assurance that the organization is equipped to manage any challenge thrown its way.

Remove FUD by aligning cybersecurity objectives with business goals, developing a resilient strategy to ensure business continuity under any condition, and by preparing a response and recovery plan in case a bad situation arises. I’ve found this approach can lead to positive dialog and enhance the reputation of the security leader.

To summarize, communicating effectively with board members requires cybersecurity leaders to return to the human level: Be original, transparent, realistic and simple. Lead with confidence and conviction.

Three resources to help you engage with the Board

view all news article
Array
podcast

Cyber, CISO and the Board: Turning awareness into action

Leveraging her vast boardroom experience, Margaret Heffernan provides advice on ensuring best practice is cascaded through the business.

Listen Now on Cyber, CISO and the Board: Turning awareness into action
Array
research

Leadership Insights: Exploring the role of the Business Information Security Officer (BISO)

Discover how BISOs can support your ambitions to better connect security with the business and instil a strong security culture.

Read more on Leadership Insights: Exploring the role of the Business Information Security Officer (BISO)
Array
event

6th Cyber Exchange 360: Talk to the Board!

Join a reciprocal dialogue between Enterprise Board Directors and forward-thinking CISOs and information security practitioners.

Location In person - London, UK
Find out more on 6th Cyber Exchange 360: Talk to the Board!
How to Communicate Cybersecurity More Effectively to The Board
Read the full article on Forbes