The days of a hopeless disconnect between security leaders and the board of directors have come to a close—at least for enterprises with a healthy risk posture. Digitally savvy or not, in today’s business environment, board directors largely recognize they need an understanding of how cybersecurity risk overlaps with enterprise risk and the board’s overarching governance responsibilities, and they at least need to be conversant in cyber risk and how it could impact the organization—financially, reputationally, legally, operationally, and otherwise. The more digital the business becomes, the more cybersecurity becomes an existential issue to address, impacting the competitiveness, continuity, reliability, and overall trust of the enterprise.
High-profile data breaches, ransomware attacks, and other existential crises brought on by cyberattacks in recent years have shattered the outdated notion that enterprise security is the IT team’s burden to bear, replaced by an acknowledgement that cybersecurity is a board-level issue. Yet, according to a 2017 ISACA survey on tech governance, 87% percent of C-suite professionals and board members say they lack confidence in their company’s cybersecurity capabilities. This indicates that while most enterprise boards have come to appreciate their responsibility when it comes to cyber risk, there remains a level of translation required to make cyber risk insights more digestible—and therefore more useful—for board directors.
Here are three tips for communicating cyber risk to the board.
Understand the board’s responsibility
Effective communication to the board regarding cyber risk requires CISOs to understand the board’s scope and its fiduciary responsibilities in the context of each business as well how technology enables the whole business ecosystem. When possible, security leaders are well-served to enlist the support of enterprise risk management professionals, who are often best equipped to explain to board directors the operational and strategic risks that flow from cyber risk.