Board members are becoming increasingly curious about the state of cybersecurity in their organizations. The statutory requirements of directors to be aware of security risks is growing across the globe, which reflects the increasing frequency of incidents which can significantly affect share-price, brand, and reputation, as well as shareholder confidence.
Board members, non-executive directors, and audit committee members now expect regular briefings on cybersecurity. Securing investment and confidence from the board is increasingly tricky and delivering updates that satisfy board members can be challenging.
In my experience of helping organizations and CISOs define their governance requirements around cybersecurity, these are the following five activities to be particularly useful:
1. Consider How You Will Convey Your Cyber Security Message
There are many pitfalls that CISOs, and those responsible for information security, should avoid when engaging with the Board. First of all, Board members will be overly-familiar with PowerPoint-based presentations, so think how else you can get your message across without relying on slides. Talk in their language and be wary of drifting into technical speak.
Be succinct and if you have to provide any material in advance, keep the information to no more than two pages.
Ultimately, understand why you are there – it’s unlikely that you are being asked to provide an information update. Are you looking for an endorsement? Additional budget? A strategic decision or guidance from the Board? Tailor your message and help lead the Board towards your end goal.
2. Relay The Information To Your Board In A Risk-Based Format
The Board will understand ‘risk’ far better than you may initially appreciate. Ensure that you can explain how cyber risks have been quantified and how these relate to your own KPIs. Scaremongering will not win widespread; sustained support so be wary if you choose to present risks in terms of ‘worst case’ impact and likelihood. Being able to demonstrate how previous investment has helped to mitigate risks will show the Board that you’re responsibly spending their money and is more likely to gain their trust as a result. There are some risk models in use for cybersecurity board presentations.
3. Demonstrate How The Organization Is Improving Its Maturity
Boards will want to understand how their organization compares to their peers, and how it is maturing over time, in line with their risk appetite. There are a number of cyber and information security frameworks available which can help organizations and CISOs demonstrate their maturity and state of compliance.
Understand your regulatory environment and be clear what will help grow the business – seek help to cut through the confusion.Gain executive sponsorship where the organization decides to adopt anything that impacts the entire business, as opposed to just the IT department.
How is any investment going to change the business in a year’s time and what more will be required?
4. Gain Board Level Sponsorship
CISOs and those responsible for information security will find it difficult to gain traction with the Board unless there’s someone in the C-suite fighting their corner. Unlike most other disciplines, cybersecurity does not neatly fall under one company department or division, meaning that CFOs, COOs, CIOs, and the other executives may be looking at each other to take forward issues brought before the Board if reporting lines are not clear at the outset
Befriending the company secretary is a useful way of understanding the dynamics of Boardroom environments, and from there, you can identify the appropriate ally to sponsor cybersecurity issues going forward.
5. Identify The Key Information And Cyber Security Risks Facing The Organization
Think like an adversary – if you correctly understand your business environment and your assets, then you can put yourself in shoes of an attacker. As part of a proper risk assessment, you should be able to apply the appropriate controls to the right areas of the business, without unnecessarily scaring the Board and trying to adopt wholesale expensive technical controls.
Consider the following:
- What are your critical sensitive data assets?
- Have you assessed the threat landscape from all perspectives? Does this include an assessment of the insider threat – either through malicious intent or accidental activities?
- Do new ways of working pose new risks?
- How does new legislation and regulation impact the organization?
- Addressing all of these aspects will help organizations and CISOs define their governance requirements around cybersecurity”.