Sunday, 13 October 2019
Communicating the Impact of Risks in Cyber Security to the Board
CISOs are increasingly communicating the longer-term impact of risks in Cyber Security to the Board of the organization. Kindly advise format, metrics, parameters, and template that are best recognized by Boards of global organizations, that can be adapted regionally as well. Are there any nuances of reporting to the Board dependent on the vertical market segments or any other variables?
The high stakes in managing risks involved in cyber security is the responsibility of a CISO. While the topic is gaining traction in every business environment, Board members are now getting more involved with, as well as understanding the security implications and landscape. It is up to CISOs to create a communication channel where Board members are updated on global trends and regulations, taken through the organizations’ security strategies and performance and are made aware of the business enablement’s that cybersecurity brings to the table. Supplementing this with competitors’ security performance definitely helps. In fact, what is important in the current situation is that CISOs work towards ensuring that security should have the shared responsibility in attaining business goals and objectives and given the status it deserves.
What applies globally is certainly what will work in the Middle East when it comes to presenting the facts on cybersecurity to the Board. Without getting too complicated, there are a few basic metrics like severity of cyber-risk incidents, financial impact, tier 1 institutional clients, etc. that will enable clearer reporting to the Board. Always make sure to keep all Metrics SMART – Specific, Measurable, Accurate, Reliable and Timely. It’s a good practice to use standard Red/Yellow/Green indicators which can quickly show the board the alignment to risk, compliance and governance. Also, since most members may not have a strong technical background, keeping it simple and avoiding technical jargon is paramount. A good route to use would be to translate security objectives into business goals and outcomes which may be more relevant to Board members. Delivering the current cybersecurity posture and where it is headed is best represented by creating templates which are data-driven and have a more meaningful impact for the audience it is being presented to.
Besides, CISOs must ensure that they are always equipped with any information that may be required to tackle the score of queries from Board members. And, once a CISO has set foot in the Board room, they must capitalize the opportunity and highlight the importance of cybersecurity and create further opportunities for across the table connection continuously addressing the importance of cybersecurity.