Communicating Cybersecurity Effectively to the Board

Posted by

Cybersecurity has always been an unsought after investment like insurance – only useful when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to boards and peers. Everybody in an organization has their own perspective when it comes to cybersecurity, and that’s the reason that security professionals have always found it difficult to convince the management and get the budget approved.

But the situation is changing, as boards and management are getting aware of the importance of cybersecurity. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This also becomes highly important in the current scenario where huge risks of cyber breaches are looming and organizations are cutting cost because of slow business, to survive this pandemic.

In this blog, we talk about the best practices to effectively communicate cyber security to the board and management.

Be in Your Audience’s Shoes: Speak the language of the board and quantify cyber risks:

As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations do not use any quantitative risk evaluation tools at all; while the other half still rely largely on the experience of their cyber experts or maturity assessments.

  • Quantify Cyber Risks: In today’s “cyber everywhere” era, it’s of utmost importance to be able to accurately quantify cyber risks ahead of time and adversaries. CISOs who are able to communicate the dollar value loss to the organization in case a breach happens— make more sense to the board and C-suite executives.
  • Communicating return on Security Investment (ROSI): The board and management are always concerned about the output of the investments made. Security leaders can calculate return on investment (ROI) by considering the investment on a risk basis. This can be done by calculating ROSI (return on security investment):

ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution

ALE = annual loss expectancy, or the total financial loss expected from security incidents

mALE = ALE + the savings delivered by the security solution

Presenting the cybersecurity investment vs. risk reduction in terms of dollar value can be a good way to communicate the importance of cybersecurity for the organization.

  • Use simple comprehendible language:  It’s important that security leaders communicate cyber-risk in a language that the board and the rest of the C-Suite can comprehend. Because if you try to explain them malware and technical stuff, it’s a waste of time for them as they are not savvy about the technical details of cybersecurity.
  • Competitive Comparisons: Comparing with peers in terms of risks scores,their cybersecurity posture, industry average etc. can be helpful as board and C-level executives wants to stay ahead of competition in terms of their readiness to face challenges.

Communicate the severity/losses of not having robust cyber security program:

According to the World Economic Forum’s Global Risks Report, “Data fraud, data theft, and cyberattacks as among the top five biggest risks world faces.” That’s because huge business impact of cyberattacks — for example, it has cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks.

  • Quote reports on losses due to not having a robust cybersecurity program: Security leaders can use this as a tool to communicate the value of having a robust cybersecurity program. For example: they can quote industry research such as:  “According to a recent Accenture report, the average cost of cybercrime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries”.
  • Use real word stories and facts: Using proper reports, stories and facts while presenting to the board helps them to understand the financial risks associated if they get hacked. Stories about recent breaches of peers can be very relevant here.
  • Prepare a cybersecurity plan and roadmap: Communicating a cyber security plan to achieve the desired level of cybersecurity maturity and providing quantifiable insights on improvement will help the management comprehend it better. Security leaders should come with a plan covering their existing cyber risks and the roadmap to fill those gaps.

Build trust and engage leadership

Winning the trust of the leadership and establishing credibility for yourself is again very important to build a culture of “Cybersecurity Everywhere” and convince management for required resources.

  • Engage leadership in cybersecurity discussions: Security leaders should engage leadership in cybersecurity dialogues and build trust. Security leaders should not wait for board meetings to engage with the leadership on cybersecurity communications, they should communicate to the leadership about the progress of different cybersecurity programs and take their feedback and advice on regular basis wherever possible.
  • Get your colleagues on your side: It’s always good to have someone to support your point of view while presenting to the board. To build trust with leadership it will be helpful for security leaders to get support from their colleagues while communicating cybersecurity to the board– to make them understand the value of “cyber-everywhere” mentality.

Be prepared to face objections and questions

When security leaders are preparing to present to the board to C-suite executives, they must be ready to face with all kind of non-tech, and sometimes technical questions as well.

  • Be ready with all the required collaterals: Have all standard collaterals on hand, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the current state of cyber security and gaps and their action plan to fill the gaps and create robust cyber security. They should have collaterals like case studies, use cases, ppts, and risk quantification data wherever possible.
  • Listen carefully to the board and provide answers: Prepare to defend and answer questions around cybersecurity investments and on other related topics. Sometimes you might get a surprise question, be a composed listener and answer carefully.

It is critical for CISOs and security leaders to communicate the value of cybersecurity effectively. If they are unable to communicate and quantify their cybersecurity risks properly, priority projects will not get enough funding as required, and this would lead to increased cyber risk for the organization.

Amit S Bhadauriya, Manager, Product Marketing, MetricStream, is a product marketing enthusiast for IT Governance, Risk and Compliance (IT GRC) , and cyber security technology, products and services.