Translating geek to business: Helping board members make better cyber risk decisions
It’s no secret that cyber risk ranks highly on most organizations’ list of concerns. Cyberattacks can have devastating operational, reputational and financial impacts, so avoiding them should be a priority in company-wide decision-making at board level.
This represents a tough challenge for CISOs, because communicating cyber risk to the board is more art than science. Doing it effectively begins with formulating industry- and company-specific answers to a few questions:
What are the major cyber threats organizations face today? What is the best way for CISOs to communicate these risks to the board, and what are some obstacles to effective communication?
Diligent CISO Henry Jiang recently led a webinar devoted to answering these questions. Three leading voices on cyber resilience joined him:
- Phil Venables, CISO, Google Cloud
- Shawn Bowen, CISO, World Fuel Services
- Julie Tsai, Former CISO, Roblox
Here are a few key takeaways from their conversation.
There’s no one-size fits all approach to managing cyber risk...
Searching for a universal framework for managing cyber risk is tempting, but the truth is that each organization needs to build its own strategy around company-specific information. The nature of a business, the geography, and the markets in which it operates can all determine where CISOs and boards should focus.
“I think the thing that many boards need to remember is that there’s no kind of black magic here,” Venables notes. “Essentially, the board needs to apply the good old-fashioned risk discipline to this topic, just like they do with many other topics.”
…But there are a few common factors to consider
Still, there are two broad umbrellas under which cyber risk often falls:
- Technological vulnerability, whether in the cloud or on premises
- User error, whether internal or related to a third-party relationship
One misconception often held by board members is that cyber risk is inherently malicious. They may have the image of a shadowy hacker parked behind a computer screen, sifting through sensitive company information for something they can use.
But while malicious interference is undoubtedly a real threat, the board should also be aware of the risk of user error — internally generated vulnerabilities that arise when employees act carelessly with company data.
This threat also applies to extended liability related to third-party relationships, a growing source of significant breaches over the past few years. As Tsai points out, it's difficult to keep behavior consistent across different partnerships and business lines, and CISOs and boards must recognize this as a significant source of cyber risk.
New regulations are shaking up risk management
New regulatory developments from the SEC and FCC are amping up the stakes when it comes to proactive cyber risk management at the board level.
Tsai sums up the current state of change this way:
“I think what we're seeing is the beginning — or at least a mid-stage — of more mature expectations from regulators in the government in terms of what they're expecting from companies. It’s no longer enough to say that you tried, or you didn't know about something. [Regulators] expect you to understand what you're doing. [Regulators] expect the board to understand how to measure these things.”
A positive part of this development is that it solidifies CISOs’ seat at the table when it comes to delivering guidance to the board. They are no longer playing catch up with already-made board decisions. Instead, they can influence those decisions and help the board understand the importance of modern security technology and internal security training that prevents user errors.
It is critical that CISOs recognize this shift in influence and act on it.
CISOs have to play translator when communicating with the board
Board members share a genuine desire to understand cyber risk and sources of vulnerability, but CISOs who communicate risk in highly specialized or technical terms risk losing buy-in when reporting to the board. Furthermore, many board members serve on multiple boards and may receive several different perspectives on cybersecurity. This increases pressure on CISOs to advocate for their company’s security needs in company- and industry-specific terms.
The goal, as Bowen puts it, is “translating geek to business” — that is, translating the minutia of cybersecurity strategy into the terms of how potential threats would impact core business objectives.
One way to accomplish this is to seize on real-life scenarios. Let’s say a CISO’s company just experienced a near-miss incident where company data very nearly fell into the wrong hands, or maybe a competitor just experienced a high-profile breach that exacted a dramatic toll on their bottom line. CISOs can use these real-life incidents to connect cyber risk to material loss, which helps board members truly understand the stakes of a proactive strategy.
Collaborate and solicit feedback
CISOs are well-advised to build relationships with other business leaders within their organization, so they can advise on how cyber risk impacts those leaders' roles. When functional leaders incorporate CISO guidance into their board reporting, they enhance the visibility of critical cyber-related issues.
CISOs also shouldn’t be afraid to solicit feedback when it comes to their board reporting. This feedback can highlight areas in need of improvement, but it also alerts CISOs to potential gaps in the board’s understanding o fundamental cyber concepts. CISOs also gain insight into board members’ emotional and psychological stance when it comes to cyber risk, which can help them build mutual understanding down the line.
Want to hear more insights from our panel of industry experts? Watch the full webinar, “Mastering the Art of Cyber Risk Reporting to the Board,” here.
