Insights • 3 minutes read

Getting the Board on board: Communicating cyber security risks

There is no doubt that cyber security risk has taken a front-row seat in businesses organisations of all shapes and sizes. For those tasked with how to manage a company’s response to cyber threats, effectively engaging with the Board is one of their more complex tasks.

interactive-insights-communicating-cyber-risk

The Board’s understanding of cyber

Board members want to support their cyber and risk teams, however, are often not well versed in the technology or terminology.

What was once communicated as an IT challenge, should now be framed as a business problem, ensuring the Board understands the seriousness of potential implications. Evolving cyber security challenges should be communicated as business implications. To do so, you must steer away from the technology and separate the risk from the issue, the event, and the impact.

Here are some guiding principals to get you started.

interactive-insights-communicating-cyber-risk-1

1. Keep it simple

Technology aside, take a moment to really understand the Board’s obligations as well as the organisation’s responsibility to its industry and customers. What do these obligations look like in simplistic terms? What would be the reputational risk of a cyber breach? Would a breach result in the loss of customers, or an important accreditation?

Asking these kinds of questions will help you to approach cyber security risk management from a business perspective; it’s no longer just an IT issue. In other words, just keep it simple – the technical aspects of cyber risk are irrelevant to the Board. Their main concern is the business impact.

Key Insight By communicating risk from a business perspective, you’re more likely to gain buy in from the Board. You can then start to consider what tools and technology do you need to underpin that business outcome.

2. Communicate early and often

There is only one way to effectively communicate cyber security risk – early and often. This comes from adopting the mindset that preparation isn’t based on ‘if’ a cyber attack occurs, but ‘when’.

Often cyber risk is perceived as something that should be keep under wraps – often leading to communication at the last minute. It’s time we recognise that it’s okay to bring risks to the surface – having an open, trusting culture is the key to reducing future cyber risks.

Using a validated external framework can also help provide both credibility and assurance that you are making solid inroads towards a strong cyber posture. Frameworks enable ease of understanding when it comes to communicating cyber risk information to any interested party, ensuring everyone remains updated.

3. Preparation is key

Having regular open conversations with the Board about the evolving cyber landscape can help articulate the threats, risks, and associated impact to the business, ensuring the right protections are in place to mitigate them. It’s important to ensure that cyber security is included as a standing agenda item for board meetings. Conducting additional quarterly board-level conversations that focus on cyber security will also help to reinforce the message that as long as risks continue to grow, cyber security should remain the top priority.

Talk to our team today to minimise your business risk, reduce internal costs, and be confident that your business, data, and people are being guarded by an onshore team of cyber security experts, 24×7.