3 Tips for Talking to Boards About Cybersecurity
Cybersecurity concerns are no longer the domain of the IT department. They permeate every aspect of an organisation’s operations and governance – and cyber security is increasingly being discussed at the board level.
However, boards aren’t always well-equipped to talk to cybersecurity professionals about cyber risk. This is where cybersecurity professionals should step in. There is an immense opportunity for cybersecurity professionals to guide boards as they oversee current and looming cyber threats.
In this blog post, we’ll discuss three key tips security leaders can implement to talk to boards about cybersecurity.
3 Tips for Talking to Boards About Cybersecurity
Discuss Organisational Impacts and Opportunities.
Boards are interested in strategic issues, not operational problems (until they have a strategic impact). To gain their understanding, cyber security needs to be viewed through the lens of risk and opportunity to the organization as a whole. This can be challenging for security professionals who often focus on specific threats and vulnerabilities that are likely to be meaningless to board members) rather than the broader organizational impact.
Board members don’t need to know about the details of the organisation’s insurance policy, just that it is current, appropriate and regularly reviewed.
In practice, this means security leaders should focus on:
- Framing security discussions within the context of the organisation’s strategic goals
- Talking about maturity level, and risk tolerance, rather than specific standards or controls.
- Presenting a clear roadmap and outline of the resources required to get there.
- Prioritising relevant threats and opportunities (instead of trying to address any and all risk).
- Explaining any gaps in an organisation’s incident readiness and what resources it would take to overcome those gaps.
- Encouraging questions and discussion about key points (and preparing for likely questions in advance of any discussions with the board).
- Where possible, calculating the potential return on investment (ROI) on security spending.
Benchmarking your organization against industry standards can also be helpful in selling your security message to the board.
Use Clear, Plain English Language When Discussing Security
The board is responsible for governing, not managing, security risk. What this means is that, while the board must be curious enough about security risk to adequately assess it – board members are not required to be well versed in the technical language of cyber security.
Instead, security leaders must be well-practised at speaking the language of the board – clear and plain English that’s free of technical jargon to the largest possible extent. This comes with a host of benefits, including:
- It fosters a shared understanding and mutual and accurate respect for cyber security threats.
- It promotes more informed decision-making and makes it more likely that boards will focus on the right issues.
- It can help to ‘bridge the gap’ between the historical view of organisational privacy and security being a necessary cost and the new position of security being a competitive advantage that promotes innovation, growth, and trust.
Finally, by using language relevant to the board, board members are more likely to be motivated and interested in learning more. This opens the door for security leaders to share valuable resources to help boards further their understanding of the cyber security landscape – like the UK Government’s Cyber Security Board Toolkit.
Bring Awareness to Issues That Aren’t in the News
CSO Online reported that “while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security….”
To be frank, we hardly blame the boards for focusing on the headlines. In the wake of the mammoth Latitude Financial, Medibank, HWL Ebsworth and Optus breaches (amongst many others), the risk of a data breach caused by cyber criminals is likely top of mind for board members. However, cybercriminals are hardly the only risk – and security leaders must make sure boards are aware of threats and opportunities that aren’t in the news.
If there’s a silver lining for security leaders in the rapidly evolving security threat landscape, it’s that the heightened awareness of the threat opens the (boardroom) door for these discussions. In other words, security leaders are in a unique position in that board members are now more likely to listen to security leaders discuss the full scope of risks and what addressing them would entail.
Security Management with Privacy 108
Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.
We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high-quality practical advice.
If your organisation could benefit from improved cyber security management, reach out. Our experienced team would love to help.