SBN

How to Speak to Your Board About Cyber Risk

Board members may not have computer science or statistics degrees, and the language of bits and bytes often sounds foreign to the untrained professional. Going into the nitty gritty of the probable magnitude of a loss and probable frequency may only cause more confusion and delay decision-making.

As cyber threats continue to grow, society and regulators require greater accountability from board members and C-level leaders. Board members may eventually become liable for breaching their fiduciary duty if they don’t insist on meaningful information to make cybersecurity decisions. We’ve already seen class-action lawsuits after the Capital One breach, and it’s possible the US government will pass cybersecurity legislation to help mitigate the impact of future incidents.

What is meaningful information for board members? After all, organizations are already doing cybersecurity assessments for compliance, and CISOs are most likely reporting the current state of their cybersecurity program using various tools and techniques. We’ve all seen the famous red, yellow, and green traffic light heat maps. And having access to this reporting is better than having no data. But is the reporting helpful for board members? Does it genuinely move the needle to reduce cyber risk and help board members make the best cybersecurity decisions? Qualitative reporting, unfortunately, is not always objective, defensible, or depicts cybersecurity in business terms.

While assessments on compliance and maturity are excellent for understanding the present state and providing a score to track improvement, they are only one piece of the reporting puzzle. Board members benefit more from financial reporting, which is easy to understand and is derived from a defensible source of truth. As the news paints a grim future on cyber-readiness, board members need to understand cybersecurity in business terms—dollars and cents, not a red, yellow, and green grid.

Using quantified cyber scenarios as the foundation for board reporting is increasingly popular. Some common scenarios board members are concerned about include:

  • Attacks on third-party vendors over which control and visibility are limited. In our previous post, Axio’s VP of Cyber Risk Quantification, Brendan Fitzpatrick, talked about the recent NHS breach.
  • Ransomware on controls systems for manufacturing and IoT or medical devices.
  • Attacks on connected critical infrastructure control systems.

So how do you brief the board on cybersecurity?

The main thing is to remember to keep it simple.

Board members may not have a degree in computer science or statistics. The language of bits and bytes often sounds foreign to the untrained professional. And going into the nitty gritty of the probable magnitude of a loss and probable frequency may only cause more confusion and delay decision-making. This is exactly why traditional methods of cyber risk quantification have caused fatigue, both for the practitioner and consumer of information.

When cyber risk quantification is done right, board members can quickly make decisions. They can understand the organization’s current cyber risk relative to the business’s mission and see how their decisions will reduce exposure. As mentioned above, using prioritized cyber scenarios as the focal point of communication when briefing the board enables you to capture the entire landscape instead of only emphasizing a few pixels in the periphery.

Complete and unobstructed visibility – it’s what board members crave for an efficient and pleasant board meeting. With the right data, conversations around cyber risk reduction map to budget and ROI, enabling everyone to understand how much was at stake to begin with. Axio360 board reporting excels at providing this level of rapid cyber scenario understanding—in dollars and cents. Security leaders such as CISOs are now tasked with presenting a defendable report to the board that makes financial sense. We’d be happy to demo how our board reporting feature fulfills this need so that the board can empower the CISO and vice versa. A win-win security situation!

If you’d like to learn more about Axio360 cyber board reporting, we welcome you to schedule a brief demo.

*** This is a Security Bloggers Network syndicated blog from Axio authored by David White. Read the original post at: https://axio.com/insights/how-to-speak-to-your-board-about-cyber-risk/