Boardroom Blindspot: How New Frameworks for Cyber Metrics are Reshaping Boardroom Conversations
Organizations have come a long way in stepping up cybersecurity risk reporting, but there’s still room to grow.
When collaborating with their board of directors, CISOs run into longstanding issues: Risk is complex and technical, and risk reports are often so detailed that board members lack context on how the metrics express the impact on the overall business or its future.
New regulations are forcing change on a global level. The U.S. SEC’s new cybersecurity rules, enacted in December 2023, and the EU’s Digital Operational Resilience Act (DORA), set for full adoption by January 2025, herald stricter guidelines for organizations, especially publicly listed ones. These regulations reshape how cybersecurity and risk management practices must be communicated to stakeholders, including boards.
There has never been a clearer signal from regulators that CISOs need to shift the conversation in the boardroom and show board members how cyber risks urgently impact their business. Here are three tangible ways leaders can simplify risk reporting, stay compliant, and make cyber metrics meaningful to all leaders, even those who are not risk experts.
Tighten up Third-Party Risk Reporting
Third-party risks have been on board radars for several years now, with the headlining Solar Winds data breach of 2020 putting vendor risk front and center.
In the EU, the Digital Resilience Operational Resilience Act, or DORA, introduces regulatory oversight of critical third-party providers such as cloud platforms and data analytics services. Financial institutions will be expected to have robust third-party monitoring and incident reporting processes in place. This operational resilience regulation is just one of many around the world, and it’s no surprise given the interconnected nature of risk, that governing bodies are looking specifically at the criticality of third-party risks.
What does this mean for CISOs and their boards? Communicating to the board about third-party risks becomes not only critical but required as part of a cyber risk practice.
To simplify and communicate the third-party risk environment, CISOs should create a centralized map of IT vendors, the business units they serve, where they operate, associated regulations, and controls so that the board has a clearer picture of the third-party risk universe. From there, it’s easier to understand how to allocate resources for optimal impact.
Level-Set and Level Up Your Board
One of the largest global banks had a data breach in 2019 when a former Amazon Web Services employee gained unauthorized access to the personal information of millions of bank customers. This brought boardroom dynamics and risk into mainstream awareness. This case is a prime example of a lack of board oversight, ill-conceived cloud security practices, and disregard of the evolving cybersecurity landscape. It’s a prime example of why boards of directors need to bring value, expertise and oversight to a company – so much more than a list of prominent names.
Notably, regulators are codifying transparency and accountability practices for boards within recent cybersecurity regulations. For public companies in the U.S., the SEC now requires annual reporting on board activity, including its oversight of cybersecurity risks, its role and expertise in assessing and managing material cybersecurity risks, and how the company informs its board and risk subcommittee about cyber risks. Boards also may be involved in determining the materiality of a cybersecurity incident, under the new SEC framework, which should raise the question for companies: do the current board members have enough risk experience to reasonably determine materiality?
This is an indication from regulatory bodies that CISOs can’t, and shouldn’t, operate alone or be solely held accountable in the event of an attack. As was the case with Clorox’s cybersecurity incident last year, scapegoating CISOs doesn’t instill true accountability and responsibility among leadership, nor does it bolster cyber defenses against future attacks.
Leaders should see the board-specific updates to these regulations as a call to action: Does your board have true cybersecurity or risk management experience? If the answer is no, it might be time to make changes to the board to ensure there are documented leaders with risk experience in the room. These experts can be a CISO’s biggest allies when communicating to the wider board or making technical cyber risk decisions such as determining materiality.
Keep it Simple
Ideally, boards have one or more sitting executives with risk experience, but the reality is that boards primarily consist of executives with a non-technical understanding of risk management methods. Risk and cybersecurity information must be always conveyed in easy-to-understand, business-oriented language.
Start by quantifying risk in monetary or dollar terms. Board members may not understand the technical details of Monte Carlo simulations or probabilistic risk assessments, but they do need to understand the potential impact of risk on the business in the most efficient way. Quantification can help anyone understand how the business anticipates risk, prioritizes risk controls, and takes preventative action against risk.
Tailor risk information to board members, depending on their expertise and the board report’s purpose. There is no one-size-fits-all approach to reporting. CISOs can segregate risk metrics into categories, like security, financial, third-party, or employee awareness risks. Grouping information together helps non-technical executives understand how risks are interconnected and what’s being done to anticipate these risks. CISOs should also consider the purpose of the report when choosing metrics to share with the board. A regular review report on cybersecurity should look different than a case-specific report, which might detail an incident or share specific metrics ahead of a major acquisition or new line of business.
Finally, use analogies. Real-world examples can go a long way in ensuring board members understand the risk landscape and make the most fact-based decisions. Analogies create common ground and expedite understanding of complicated issues.
A New Foundation for Risk at the Board Level
CISOs know that cyber risk is serious. The challenge is getting other leaders to take up the mantle and share their sense of urgency.
With new frameworks for cyber metrics and reporting being implemented globally, regulators have effectively elevated risk to the same level of board awareness as financial risks. It’s time for boards to get on board.
