How To Talk To Your Board And C-suite About Cyber-preparedness
By Alex Tilley, Head of Threat Intelligence, Asia Pacific & Japan, Secureworks
Digital transformation and remote work have reshaped the business landscape and cyber threats have become the modern barbarians at the gate. The vulnerabilities of organisations are constantly targeted, posing risks that range from financial losses and intellectual property theft to legal cases, fines, and reputational damage. As the guardians of an organisation’s strategic direction and risk management, the board of directors and the C-suite must take cyber-preparedness seriously.
The task of conveying the gravity of cyber risks to the board and C-suite is a challenging feat. It requires breaking through the veneer of casual conversations and the norms of polite protocols. Instead, a comprehensive and strategic approach to cyber-preparedness communication is essential and the Chief Information Security Officer (CISO) shoulders a crucial responsibility for this challenge.
The CISO-Board Interdependence
The board looks to the CISO to execute due diligence in cybersecurity and to guide its understanding of the risks and the organisation's efforts to mitigate them. However, securing the board's buy-in for necessary cybersecurity investments can be challenging, mainly when their comprehension of cyber risks is limited.
The CISO must establish himself or herself as a credible and trusted figure to build a foundational relationship with the board. This involves conducting business-wide crisis management exercises. The outcomes of these exercises provide insight into how the board prefers to receive information and expose any disparities between its expectations and reality. Conducting such exercises outside of crisis scenarios is key; it fosters an understanding of roles and responsibilities, ensuring that the board has confidence in the CISO's ability to provide meaningful reports even under pressure.
Regularly scheduled briefings during board meetings further strengthen this relationship by maintaining open lines of communication and demonstrating the CISO's commitment to transparency and collaboration. However, solely relying on the cybersecurity team is insufficient and it’s becoming blatantly clear that fostering a security culture is essential.
The Impact of Security Culture
Security culture in an organisation boils down to protecting the organisation and its interests in an increasingly hostile environment. In the battle against cyber threats, the CEO must recognise that cybersecurity is a collective effort and that every individual within an organisation is responsible for safeguarding sensitive data and systems. All staff need to feel confident working together and “doing their bit” to secure their organisation and ensure it thrives!
This culture should emphasise trust, collaboration, and empowerment. When employees are encouraged to proactively report cyber incidents without fear of backlash, the organisation becomes better equipped to prevent costly breaches. A security culture enhances disaster recovery efforts and provides a robust defence against cyberattacks.
With the persistent ransomware threat and reduced dwell times, an organisation’s security culture will provide a significant defensive edge against existential threats from well-resourced, experienced, and motivated attackers.
Techniques for Effective Reporting
Communication with the board and C-suite demands the presentation of realistic, meaningful metrics highlighting the organisation's progress in its security journey. To ensure their relevance, the CISO should initiate discussions with the board, presenting metrics that align with pain points and progression requirements. This approach ensures that the chosen metrics resonate with the board's concerns and priorities.
Breach reporting is another area that needs to be addressed and the CISO needs to work with the board before a breach event to help them understand the types of things it should expect to be told. Then, they can agree on acceptable and understandable terms and include other business units to show their inputs into the breach detection, notification and response process.
Crafting a Compelling Board Presentation
A successful board presentation hinges on several factors. First, it requires understanding what the board truly needs to hear. This means distilling complex technical information into actionable insights that align with the company's strategic goals. Clear and concise language is essential, as jargon and extraneous details can obfuscate the message.
The ability to collect, analyse, and present critical information in a meaningful way is paramount. Anticipating questions from the board, often unexpected, prepares the CISO for thorough discussions. Practising the delivery of the presentation with non-technical individuals helps ensure that the content is accessible and well-understood by all stakeholders.
In addition, showcasing the CISO's willingness to engage with business units beyond IT demonstrates his or her commitment to holistic cybersecurity. This step reinforces his or her role as a credible leader and underscores the collaborative nature of cyber-preparedness efforts.
The take-out
Cyber-preparedness is no longer a niche concern confined to the IT or security department. It is a critical business imperative that demands the full attention of the board and C-suite. Effectively communicating the intricacies of cyber risks and the strategies to mitigate them is a nuanced challenge that requires strong relationships, a supportive security culture, meaningful metrics, and compelling presentations by the CISO.
By aligning these elements, CISOs can bridge the understanding gap and empower boards and C-suites to make informed decisions that safeguard their organisations from modern-day barbarians.