Your organization’s board has a unique role to play in managing cyber risks. Board members are not involved in the day-to-day cyber security strategy development and execution, but they are responsible for oversight and serve as fiduciaries.
Although it can be difficult for board members to engage around cyber risk, board members are expected to ensure that cyber risk remains on the agenda, as it can affect customer data, trade opportunities, and share prices, among other things.
Despite the fact that cyber risk became a board-level topic quite some time ago, boardroom stakeholders who drive the cyber security conversation can have misaligned viewpoints, translating to inconsistent corporate visions and weak decision-making.
In this article, we’ll discuss the cyber security delta between stakeholders, common stakeholder stumbling blocks, and how to address and overcome the aforementioned challenges.
The delta between stakeholders
Fewer than 50% of board members regularly interact with the CISO. Approximately a third of board members only see CISOs at board presentations. In other words, these leaders often fail to connect frequently enough to collaboratively foster meaningful growth in relation to cyber security and strategies. This communications gap can impede progress around cyber risk management as a whole.
In addition, a CISO’s conversation with the board sometimes exclusively revolves around cyber attack protection. The main question defaults to ‘do we have enough security?’ However, research indicates that CISOs would do well to shift the conversation to operational resilience. Rather than focusing the conversation on security mechanisms, the question, ‘how can become more resilient?’ should be asked.
Making conversation meaningful
A CISO can benefit from acting as an impartial business risk advisor, rather than a technical expert who would like to, say, secure additional budget. Creating an ecosystem that frames cyber risk in terms that the board can understand will make messages more relevant, resonant and impactful.
In demonstrating the value of cyber security, CISOs should use language and metrics showing that security serves as a revenue driver. For example, CISOs can demonstrate the ROI of removing a threat or vulnerability. Or, CISOs can show what the organization would gain in otherwise lost revenue by implementing a specific security control.
In speaking with board members, CISOs should take care to avoid leveraging fear, uncertainty and doubt (FUD) in order to convey messages or to win approval. Using scaremongering tactics can give board members the impression security costs are excessively high.
Developing the rapport (beyond meetings)
To achieve goals and find allies, board members and CISOs or other relevant technical stakeholders should invest in connections outside of the boardroom. This builds trust, an invisible element within business that enables an organization to thrive.
Further, engaging beyond the four walls (or virtual boxes) of the boardroom provides all stakeholders with insights and context that can inform communication, goals and progress against objectives.
For more insights into how boards and cyber security leaders can effectively collaborate and manage risk, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.