Communication is highly essential to survive, not only when it comes to business but it allows an organization to thrive when it comes to being able to communicate in a crisp and clear way. The Cybersecurity sector is no different. A recent survey conducted by the Ponemon Institute, confirms just that. According to the report, only 9% of the security teams feel as if they are highly effective in communicating the security risks to the board and other C-suite executives.
CISO’s might find it a tad difficult to explain the importance of an organization’s cybersecurity plan to an audience who might view cybersecurity as one of many other programs that are highly technical and difficult to understand. Hence, the CISO’s are more likely to get the support they need from the top management when they step into the board’s shoes and clearly communicate and quantify the cyber risks at hand. In such a scenario, the message is better received.
Stepping in the board’s shoes.
Prior to the discussions with the board or the C-suite executives, the CISO’s should consider their communication approach and perspective. It’s crucial that they report the cyber risks in such a language that the board can comprehend since it can be frustrating to explain cybersecurity and related terms like advanced malware or technical controls to an audience who are not well versed with the technical concepts of cybersecurity.
At the same time from the perspective of a board member, cybersecurity is always seen as a set of risks associated with the impact on business and associated expenses. The board is concerned about knowing where the organization is placed on the cybersecurity spectrum and if there are any gaps, how the security team intends to fill it. Without the use of overly technical terms or concepts, the CISO’s should effectively shift the conversation from cybersecurity to cyber risk while providing concise and quantitative responses.
Evaluating Cybersecurity for the board
When reporting it to the board a CISO should properly and accurately evaluate the risks of cybersecurity and its impact on business. If done appropriately, the CISO would acquire the support of the board and the funding required to execute their cybersecurity strategy.
There are four key areas to keep in mind –
- Classifying key areas that are prone to a cyber attack and what controls in place to deal with them. For example – Organisations usually prioritize the risk of loss of property, in such a scenario the CISO will classify this as an area of risk and work towards educating their colleagues on how the cybersecurity program is aligned to managing this risk.
- Against peer organizations, comparing and measuring their cybersecurity postures. Comparison is the most common method used to gauge performance and the board is always interested in knowing the level of acceptable risk that is appropriate.
- Measuring the internal benchmarking data. This will ensure that the CISO knows and is displaying what parts of the organization’s cybersecurity plans are working and what are not. With this data, the board can easily view how the risk is distributed in the organization and what are areas are most prone. The CISOs should always show the actions that are necessary to mitigate the high-level risks and what is needed to bridge the gap and from the risk being classified as a normal risky by the board in the boardroom.
- Presenting a plan to achieve the recommended level of cyber risk and insights on how to achieve it. A CISO’s plan should always be broken down into smaller practical goals, which need to be reached in a stipulated time frame and along with the cost that might take to achieve it. Since the CISO’s would also be responsible for executing the plan, they also should measure all the resources involved. And during the next quarterly meeting with the board, all key risks and result areas should be highlighted.
If CISOs are unable to communicate the need for a better cybersecurity program, to the board then the risk of a security incident increases by two folds. Fortunately, the CISOs these days can take the help of various tools available in the market to present a proper case in front of the board. This will allow transparency in the security posture and increase the efficiency of the security team, reducing the security risk of the organization.
To read more, please check eScan Blog
