Cyber and compliance must look beyond just technology. This means having everyone on the same page and communicating requirements to C-level and the Board in a way they understand.
October 15, 2021
Communicating cyber security in a language the Board understands
There is no doubt that cyber security has taken a front-row seat in businesses of all shapes and sizes.
This is even more true for companies that are governed by a Board of Directors, where members of the Board can now be held personally liable for failures that release personal data of staff or customers.
As a result, executive teams have an increased pressure to talk cyber with their Boards, including the nature of their cyber risk and the protections being put in place to mitigate them.
The Board’s understanding of cyber
For those tasked with managing a company’s response to cyber threats, engaging in an effective way with the Board is one of their more complex activities.
Further, the environment in which companies operate has become less forgiving of cyber failures. For the past 15 years, the Ponemon Institute has published annual studies on the costs of data breaches globally. In its 2020 study, the average cost of a data breach was estimated to be USD3.86 million globally, and USD2.15 million in Australia.2 Larger “mega breaches” are much more costly. Breaches affecting 1 million to 10 million records cost on average USD50 million, and breaches impacting more than 50 million records cost on average USD392 million.3
Board members understand this impact and want to support their cyber and risk teams, however, are often not well versed in the technology or terminology. A different approach is needed to ensure Board members are clear on the approach the business is taking and its likelihood of success.
Key InsightIn its 2020 study, the average cost of a data breach was estimated to be USD3.86 million.
Nick Scholefield, former CIO at financial services company Perpetual, and current Chief Operating Officer for Cloud Managed Services and Technology at Interactive, understands the dilemma. Having reported to CEOs and Boards for APRA regulated and privately held businesses, he says the way a Board receives information is critical to their ability to engage and provide support.
“The Board wants cyber risks in a framework that they understand. To do so, we need to move away from the technology and separate the risk from the issue, the event and the impact.”
As Nick Scholefield says, “The risk is not that you suffer from a cyber event, but losing customer data, maybe breaching a legislative requirement or suffering
reputational damage is the real risk. Start there and then share the controls you have in place to mitigate these risks and how you measure the success (or otherwise) of those controls. This is a format the Board will understand and one you can communicate with relative ease.”
Nick recommends the following style of risk tabulation to enable ease of understanding:
Develop your cyber security framework, in a way the board understands by accessing the white paper for free.
Click the ‘Download Now’ button and gain expert advice in:
Framing the cyber conversation to stakeholders
NIST vs The Essential 8: Which framework best suits your business
Assuring your supply chain
How to audit and prepare your business for key cyber risks
Learn how you effectively communicate your cyber security framework in a way the Board understands.