Kaelyn Barron

Senior Specialist

How (and why) CISOs should improve their IT risk communications with the board

With costly cyber incidents on the rise, it has become clear that the traditional divide between cybersecurity and governance, risk and compliance (GRC) no longer serves companies at a strategic level.

To build cyber resilience and protect themselves from a rising tide of cyber risk, organizations must find better ways to incorporate IT risk strategy into the board’s GRC efforts. Simply put: Cybersecurity is a GRC issue, and companies must behave accordingly.

This raises important questions: How can CISOs communicate IT and cyber risk within their organizations? How can they break through to executives and the board, and effect real change through smart policies?

This article outlines key strategies CISOs can use to improve their communications with top leadership, as well as background on recent regulatory developments and technology that makes effective communication easier.

Adapting to new regulations

In July 2023, the SEC officially adopted new rules for enhanced cybersecurity disclosures. The new regulations cover a lot of ground, and require organizations to disclose how the board executes its cyber oversight, how cybersecurity factors into core business strategy and how CISOs report within the organization — which will have major implications for companies of every size.

Businesses will also be required to disclose material cyber incidents within four days of confirming their materiality, which requires quantitative and qualitative analyses at the highest levels of the organization — further underscoring the importance of keeping the board up to date on cyber issues.

Bottom line: Cyber knowledge gaps won’t just leave your organization open to costly breaches — they have the potential to incur serious regulatory penalties.

Improving board communications around cyber

To effect change within their organizations, CISOs must craft a strong communication strategy to ensure the board has a deep understanding of IT risk. Here are five strategies you can use to accomplish this goal:

1. Make sure the board understands the full breadth of external and internal cyber risk. Many executives, even those with a good understanding of cybersecurity protocols, tend to think about cyber risk exclusively in terms of bad actors and cybercriminals. While those forces certainly represent serious threats, the reality is that internal personnel present a substantial source of cyber risk. In fact, 91 percent of successful hacks originate from phishing emails. Emphasizing this “human factor” of cyber risk makes it easier for boards to throw their support behind cyber awareness training programs, encouraging them to take a more holistic approach to managing cyber risk.
2. Speak their language. Many CISOs make the mistake of communicating in a hyper-technical language that alienates the board. For a better chance at achieving consensus on core cyber issues, present those issues in company- and industry-specific terms. Employ hypotheticals and real-life scenarios with concrete figures to illustrate the financial impact of a serious breach. For example, if a competitor recently experienced a high-profile breach, use it as a teaching moment to highlight vulnerabilities that could put your company in a similar position.
3. Emphasize the benefits of a proactive approach. Many board members are still stuck in a reactive frame of mind when it comes to cyber risk; for them, the purpose of cyber strategy is mitigating damage only after something’s gone wrong. Fortunately, the new SEC regulations offer CISOs a more prominent seat at the table when it comes to recommending proactive strategies that bolster cyber resilience and reduce the risk of materially damaging events. But CISOs cannot simply point to the regulations as the reason to implement more proactive strategies. Rather, they should help board members understand how a proactive approach can add business value — for example, by giving the business confidence to move with speed and agility, with assurance in cyber resiliency.
4. Solicit feedback. Be direct with your audience and determine if they have any lingering questions or preferred methods translating complex cyber risk issues into actionable policy. This arms you with more knowledge about how your board best receives information, and it also alerts you to lingering gaps in their cyber understanding and expertise. What’s more, it gives you invaluable insight into their emotional and psychological stance when it comes to cybersecurity, which you can leverage to create a stronger understanding as you iterate your communication strategy.
5. Use risk reporting technology. Presenting risk data in a compelling, digestible format is a real challenge, but it is easily remedied with risk reporting technology. These software options take dense, complex and scattered raw material, and draw out trends and priorities your board can latch onto — while also taking time-consuming work (such as data gathering, manual reporting and analysis) off your plate.

Making the most of risk reporting technology

Risk reporting tools, such as Diligent Board Reporting for IT Risk, equip CISOs with a suite of tools that turn effective board communications from a complex challenge into a simple, three-step process:

• Aggregate all your IT risk data within one platform and use third-party perspectives from Security Scorecard and Bitsight to add valuable context and benchmark yourself against industry peers.
• Create a standardized, repeatable set of risk dashboards with auditable, consistent and easy-to-understand reports that allow the board to see progress over time.
• Communicate the full breadth of your risk story while elevating the board’s understanding of complicated, nuanced IT risks and opportunities.

Turning cybersecurity into a business driver

The wave of cybercrime won’t ebb — in fact, the volume of attacks is expected to increase by 15% annually over the next three years. Forward-looking organizations recognize that cybersecurity is not merely a necessary cost — rather, they’re reframing cyber resilience as a core driver of business success. Businesses that proactively invest in modernizing their cyber resilience posture will actually see stronger growth, more reliably hitting their revenue and profitability targets.

What does it mean to transform cybersecurity into a business driver? This Diligent executive brief outlines a framework for building a culture of cyber resilience — bringing together technology and policy to drive change. Moreover, the brief highlights the role that the board and executive leadership must play in making this fundamental shift from reactive to strategic cyber resilience. Download the executive brief here.