Communicating Cyber Security Risk to the Board

Communicating cyber security risk to the board can be a key function of senior security roles. While cyber risk oversight is a function of the board, be it fully or partially shared with internal teams such as the audit committee, the implementation, actual operation and management of the security program is not their responsibility. If you are the person tasked with communicating to the board then the challenge is to present the information in a way that allows them to understand and fulfil their own responsibilities.  

Effectively communicating the cyber position and risks upwards to the key stakeholders is a crucial task. A predictable outcome from a communication failure, is that the board is left with the impression that risk isn’t being managed and then when combined with the constant stream of negative media around compromised organisations, fills them with worry. To help address this issue, we have collated a list of Ten tips and tricks you can use to get your messages across effectively. These are as follows:

‍

Understand why you are there  

When you are in the throes of the meeting and fielding difficult questions, it's easy to forget why you are there. The unconscious assumption is that you are there to make you and your team look good and defend your position. Remember why you are really there: to update the key stakeholders as to their cyber risk, to help them fulfil their responsibilities in providing governance and oversight. You need to tell them what they need to hear, not what you want them to hear.

‍

Have an objective

With any meeting its good practice to have an objective. By having that clear objective in your mind, you can keep the conversation guided. This is no different, it's good to have a clear objective, and part of your preparation should be to assess whether your messaging addresses your meeting objective.

‍

Answer the Three big questions

Remember, boards aren’t interested in technical details on how the organisation has minimised risk, they are looking for insight on the state of the organisation’s cybersecurity program and the associated business risks. In each meeting, there are three key questions that need to be answered without getting bogged down in technical detail:

• What is happening in the threat landscape relevant to us?
• What did we do internally to reduce that risk?
• What is the current state of risk in our environment?

‍

Understand your audience

Understanding your audience is key in any situation. Building a relationship with board members can definitely help, but is not always possible as you may only see them every quarter. Conversations away from the formality of a board can allow you to understand their concerns (and maybe alleviate them), what their responsibilities are, and ultimately understand the language and level at which to talk to them, which leads us nicely to our next point.

‍‍

Speak to your audience at a level they understand in a language they understand

Remember that board members are likely very smart people, if they weren’t they wouldn’t be in their position (mostly!).  They may not be able to tell you the difference between EDR and DLP, but they don’t need to as it’s not their job. Use a language the audience are familiar with, for example the board are likely to be familiar with risk, insurance and quantified loss, by using these familiar concepts the board will understand, be engaged and you and in turn will be more effective in getting your point across. Ultimately if the audience does not understand. it's not their fault, it’s your fault for failing to communicate effectively.

If you quote an authoritative source, make sure it’s a source that the board consider authoritative  

NCSC, NIST, CIS, CREST, DoD etc… its highly likely that while a security / risk professional may consider these authoritative sources, the board may not, and it’s more likely the board doesn’t even know who these organisations are. When referencing authoritative sources to make a point ensure that the source is authoritative to the board, not to you. External Audit and Security assessment findings can be a good authoritative source

Bring new members up to speed

With each meeting your board becomes more savvy, you relay more information and context and the understanding of your position becomes more mature. Board members come and go and as a result there may be a requirement to bring new members to that same mature level. This again works well if you can have conversations / sessions outside of and in advance of the board itself, thereby avoiding unexpected questions and getting the new member up to speed.  

Be authentic

It takes a long time to build trust and seconds to destroy it. As the eyes and ears of the board with relation to their cyber risk you need to be a trusted source. The number one rule in this regard is to never make anything up, even if you are under pressure to answer. Remember, it's perfectly acceptable to say “I’m not sure, but I will go away and find the answer.” Fumbling around questions trying to work out an answer whilst in the spotlight is fooling nobody and people will see right through it. This takes us onto...

Be prepared, anticipate the hard questions and answer them before they ask

It’s not always going to be plain sailing; someone is going to ask you difficult questions and you need to be prepared for them. Too many people know the awkward questions and avoid them in their own mind, hoping that they won't come up. The best thing that you can do is to anticipate the difficult questions and answer them in your update before anyone gets the chance to ask. In your preparation you should refer back to the minutes and actions from previous boards and avoid being caught out by having an action against your name which you haven’t done anything with for the last 3 months ( not talking from personal experience...definitely not..)

Choose your metrics

There is absolutely no need to flood people with 52 charts, 28 graphs and 42 other metrics. No one is going to read them and even less are going to understand them. Try and condense your metrics down to One or Two pages and make sure they are meaningful. Reduce them down to be what the board needs to understand: Is our situation getting better and are we moving in the right direction? What are the risks to the business?

All boards operate the running order differently, with differing levels of formality, numbers of members, frequency and many other variables. A commonality is the appreciation of someone who is prepared, clear and concise and who gives them the ability to perform their governance and oversight from an informed position.

‍