More boards of directors are now recognizing that security plays a key role in business operations and strategy. In fact, cyber risk is becoming a top governance priority for boards, landing right up there with financial and legal oversight.
That’s the good news, but it’s also part of the bad news. Boards want more assurances and better visibility, yet many security leaders and CISOs aren’t prepared to communicate effectively or regularly with their boards. Fifty-four percent of board members surveyed said the data they received was far too technical, while 85 percent said IT and security leaders need to improve the way they report to the board.
Is it any surprise then that only one-third of IT and security executives believe the board understands the cybersecurity information provided to them?
Frequency was another concern. On average, only 54 percent of boardrooms hear about cybersecurity just twice a year—or when there’s an incident.
If you’re responsible for cybersecurity today, you’re also responsible for the quality and frequency of reporting to the board. The clarity and relevance of your information will then allow the board to ask intelligent questions, provide guidance, and make informed decisions related to cyber risks. That means you don’t stand a chance of enlightening or helping your board by presenting them with a 200-page report (too overwhelming) that includes info on how many patches are missing in your network infrastructure (too technical/too much jargon).
Here are just a few pointers for improving communications:
- Provide information on the latest cyber threats, attack types, and industry trends. Citing actual incidents will make things tangible for them. Be prepared to discuss how your organization is positioned to prevent and respond to similar events.
- Ask board members what cyber events concern them the most. Or, alternatively ask, “What cyber or IT events could put us out of business?” You will likely find that incidents resulting in damage to your organization’s reputation (data breaches), money loss (unauthorized funds transfer), or those that affect the ability to serve clients (extended business interruption or compliance violations) will rise to the top of the list.
- Report on the status and progress made on addressing the risks that are of the highest concern. Make your reports useful and actionable by presenting a clear picture of the business risks using language the board will understand. Avoid information overload and getting into the weeds of day-to-day management information. Instead, focus on what significant decisions you want the board to make and provide them with the right information to make those decisions.
- Be candid about the vulnerabilities as well as the achievements, and provide the board with suggestions for shoring up any weaknesses. Consider using a cybersecurity assessment tool (e.g., NIST or FFIEC) for communicating progress on maturity levels on a routine basis.
Overall, it is important to get into a cadence of discussing cybersecurity as a regular board agenda item and to present valuable information at the appropriate level so boards can be effective with their governance and oversight responsibilities.
Keep in mind, 59 percent of board members in the previously cited study said cybersecurity executives could lose their jobs if they failed to communicate in an effective manner. Now that’s quite a clarion call for better communications.
How Boards of Directors Really Feel About Cyber Security Reports, Bay Dynamics, June 2016.
Cyber Governance Health Check Report 2015, HM Government, May 2016.