Securing Success: Talking to the Board About Cyber Risk

Cyber risk across all business levels influences operations, reputation, and compliance. Cybersecurity is a big deal. Therefore, oversight from the board is pivotal for effective mitigation.

However, according to a recent National Association of Corporate Directors (NACD) survey, fewer than 15% of directors express high satisfaction with the cybersecurity information management provides. Here are some tips for improving board-level discussions on cybersecurity.

What your board needs

Boards offer strategic oversight while management handles execution, which includes cyber risk management. Regardless of industry, regulations, or geographic footprint, boards generally seek from management a translation of technical details into business terms—highlighting risks, opportunities, and strategic implications.

Here are questions board members should ask CISOs (and the questions CISOs should be able to answer clearly):

1. What is our cyber risk appetite?
2. What are the most important metrics we use to monitor and evaluate risk to the company?
3. What is the business case for cybersecurity? Put another way, how can cybersecurity enable other business functions across the enterprise?
4. What are the levels of insider and outsider risk?
5. How do we measure the effectiveness of our organization’s cybersecurity program and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organization through indicators such as policy compliance, implementation and completion of training programs?
6. How do we assess the cyber risk position of our suppliers, vendors, joint venture partners and customers?
7. How much of our IT budget is spent on cybersecurity-related activities? How does this allocation compare to our competitors or other outside benchmarks?
8. How many data incidents has the organization experienced in the last reporting period? Getting into the details, what are the critical trends, patterns and root causes?
9. What are the breadth and depth of the company’s operational cybersecurity monitoring activities? Are there areas we are not monitoring, and if so, why not?

How to provide board-level metrics

Once you’ve identified what your board needs to know about cybersecurity, it’s time to share essential insights and supporting data. Board members seek an overview of the organization’s cybersecurity status and the business impact of cyber risks. Instead of excessive technical details or operational metrics, you must focus on key takeaways.

Here are principles to keep in mind when you prepare reports for the board:

1. Ensure that any data you share is relevant to the organization’s business context and that the data can be understood by the audience.
2. Be concise! Avoid providing too much information. Eliminate technical jargon.
3. Charts are your friends. Minimize text by including graphics and visuals to convey your key points.
4. Communicate insights about what the data means. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.
5. Always remember that board-level reports should enable strategic discussion and dialogue between directors and senior management.

Cyber threats are real, and investors, executives, and board members can work together to mitigate them.