Getting the Board on board: Communicating cyber security risks
For those tasked with how to manage a company’s response to cyber threats, effectively engaging with the Board is one of their more complex tasks.Key Takeaways
- To help board members understand cyber security risk, frame it as a business issue, not an IT issue.
- Effective communication about cyber risks should be early and consistent, fostering an open culture that encourages transparency around potential threats.
- Regular board-level conversations on the evolving threat landscape ensure security controls keep pace with changing risk.
The Board’s understanding of cyber
Board members want to support their cyber and risk teams, however, are often not well versed in the technology or terminology.
What was once communicated as an IT challenge, should now be framed as a business problem, ensuring the Board understands the seriousness of potential implications. Evolving cyber security challenges should be communicated as business implications. To do so, you must steer away from the technology and separate the risk from the issue, the event, and the impact.
Here are some guiding principals to get you started.
1. Keep it simple
Technology aside, take a moment to really understand the Board’s obligations as well as the organisation’s responsibility to its industry and customers. What do these obligations look like in simplistic terms? What would be the reputational risk of a cyber breach? Would a breach result in the loss of customers, or an important accreditation?
Asking these kinds of questions will help you to approach cyber security risk management from a business perspective; it’s no longer just an IT issue. In other words, just keep it simple – the technical aspects of cyber risk are irrelevant to the Board. Their main concern is the business impact.
2. Communicate early and often
There is only one way to effectively communicate cyber security risk – early and often. This comes from adopting the mindset that preparation isn’t based on ‘if’ a cyber attack occurs, but ‘when’.
Often cyber risk is perceived as something that should be keep under wraps – often leading to communication at the last minute. It’s time we recognise that it’s okay to bring risks to the surface – having an open, trusting culture is the key to reducing future cyber risks.
Using a validated external framework can also help provide both credibility and assurance that you are making solid inroads towards a strong cyber posture. Frameworks enable ease of understanding when it comes to communicating cyber risk information to any interested party, ensuring everyone remains updated.
3. Preparation is key
Having regular open conversations with the Board about the evolving cyber landscape can help articulate the threats, risks, and associated impact to the business, ensuring the right protections are in place to mitigate them. It’s important to ensure that cyber security is included as a standing agenda item for board meetings. Conducting additional quarterly board-level conversations that focus on cyber security will also help to reinforce the message that as long as risks continue to grow, cyber security should remain the top priority.
Talk to our team today to minimise your business risk, reduce internal costs, and be confident that your business, data, and people are being guarded by an onshore team of cyber security experts, 24×7.
