Board members are becoming increasingly inquisitive about the state of cyber security in their organisations. The statutory requirements of directors to be aware of security risks is growing across the globe, which reflects the increasing frequency of incidents which can significantly affect share-price, brand and reputation, as well as shareholder confidence.
Board members, non-executive directors and audit committee members now expect regular briefings on cyber security. Securing investment and confidence from the board is increasingly difficult and delivering updates that satisfy board members can be challenging.
In our experience of helping organisations and CISOs define their governance requirements around cyber security, we have found the following five activities to be particularly useful:
1. Consider how you will convey your cyber security message
There are a number of pitfalls that CISOs, and those responsible for information security, should avoid when engaging with the Board. First of all, Board members will be overly-familiar with PowerPoint based presentations, so think how else you can get your message across without relying on slides. Talk in their language and be wary of drifting into technical speak.
Be succinct and if you have to provide any material in advance, keep the information to no more than two pages.
Paul Gribbon, Security Advisory Practice Leader for 2|SEC Consulting explains,
“Ultimately, understand why you are there – it’s unlikely that you are being asked just to provide an information update. Are you looking for endorsement? Additional budget? A strategic decision or guidance from the Board? Tailor your message and help lead the Board towards your end goal”.
2. Relay the information to your board in a risk-based format
The Board will understand ‘risk’ far better than you may initially appreciate. Ensure that you can explain how cyber risks have been quantified, and how these relate to your own KPIs. Scaremongering will not win widespread, sustained support so be wary if you choose to present risks in terms of ‘worst case’ impact and likelihood. Being able to demonstrate how previous investment has helped to mitigate risks will show the Board that you’re responsibly spending their money and is more likely to gain their trust as a result. There are a number of risk models in use for cyber security board presentations.
3. Demonstrate how the organisation is improving its maturity
Boards will want to understand how their organisation compares to their peers, and how it is maturing over time, in line with their risk appetite.
There are a number of cyber and information security frameworks available which can help organisations and CISOs demonstrate their maturity and/or state of compliance.
Understand your own regulatory environment and be clear what will help grow the business – seek help to cut through the confusion.
Gain executive sponsorship where the organisation decides to adopt anything that impacts the entire business, as opposed to just the IT department.
How is any investment going to change the business in a year’s time and what more will be required?
4. Gain board level sponsorship
CISOs and those responsible for information security will find it difficult to gain traction with the Board unless there’s someone in the C-suite fighting their corner. Unlike most other disciplines, cyber security does not neatly fall under one company department or division, meaning that CFOs, COOs, CIOs and the other executives may be looking at each other to take forward issues brought before the Board if reporting lines are not clear at the outset.
Befriending the company secretary is a useful way of understanding the dynamics of Boardroom environments, and from there, you can identifiy the appropriate ally to sponsor cyber security issues going forward.
5. Identify the key information and cyber security risks facing the organisation
Think like an adversary – if you properly understand your business environment and your assets, then you can put yourself in shoes of an attacker. As part of a proper risk assessment, you should be able to apply the appropriate controls to the right areas of the business, without unnecessarily scaring the Board and trying to adopt wholesale expensive technical controls.
Paul Gribbon concludes,
“Ultimately, you need to consider the following:
- What are your key sensitive data assets?
- Have you assessed the threat landscape from all perspectives? Does this include an assessment of the insider threat – either through malicious intent or accidental activities?
- Do new ways of working pose new risks?
- How does new legislation and regulation impact the organisation?
Addressing all of these aspects will help organisations and CISOs define their governance requirements around cyber security”.
2|SEC Consulting specialises in working with organisations across the UK to improve cyber security maturity through a variety of security assessments and projects. If you would like more information on how our review can assist you to better brief your board members, or for more information, please contact us on 020 7877 0060 or email us at firstname.lastname@example.org.