As companies undertake their digital transformation, the risks in terms of cybersecurity are constantly increasing. As cyber security can be a very technical field, one may wonder – how should reporting cyber metrics to the Board of Directors be handled?
When it comes to implementing an company-wide cyber security strategy, security managers such as CISOs, CIOs, or BISOs often have their hands tied. Insufficient resources and budgets, and a lack of understanding of risks at the highest level, are daily issues. Since an organization’s governance directly involves the board, it’s very important for the board to be cyber aware.
Fortunately, more and more cybersecurity is shifting from the technical sphere to the boardroom. As a result, more board members understand the importance of good cybersecurity hygiene in today’s digital world. Furthermore, many companies have renewed their boards of directors with younger directors who pay closer attention to cybersecurity metrics and overall cyber security topics.
Nevertheless, approximately 87% of board members and senior managers are unhappy with the level of cybersecurity in their organization.
When discussing cybersecurity issues and metrics with the board, the topic needs to be addressed in a clear, relevant and convincing manner. Here are a few tips that could help:
- Get to know the members of the Board of Directors
- Banish ultra–technical terms
- Rely on metrics
- Use real-life examples
- Align with global business strategy
- Focus on the important points
- Adopt a risk-based approach when it comes to risk management
- Explain clearly what you are trying to achieve, using metrics
- Make your case with significant and accurate metrics
Let’s dive in to each one of these.
(1) Get to know the members of the board of Directors
Regardless of the company’s industry, size or its maturity in terms of cyber security, a successful presentation will depend on the audience’s knowledge of the field. CISOs should have an idea of the director’s backgrounds, their respective positions and their influence in the organization. The more you know about board members, the easier it will be to discuss cyber security and metrics openly. Which, in the end, will make it easier to convince them.
(2) Banish ultra-technical terms
Usually, the simpler the terms, the better the board members will understand.
Chances are, the board is not very familiar with security terms and tools. To make sure you can be understood and get the message across, do away with the more technical terms. Instead, focus on the general ideas and scenarios. For example, terms such as SIEM, DDoS, and MITM attacks could be replaced with universal concepts such as risk management, cyber-attacks, and security principles.
(3) Rely on metrics
Discuss topics of interest and importance such as:
- The potential impact of an attack on the company’s reputation
- The potential financial impact
- The responsibility of the board members
(4) Use real-life examples
You should always make sure the metrics you are reporting are supported by concrete examples. This will help board members understand the essence of what you are saying.
For example, the company’s level of cybersecurity maturity could be presented with a simple traffic light (green, orange to red, depending on the risks the organization faces). The impact of certain cyber threats can be highlighted by recent articles showing the potential consequences. These may include the actual costs of a type of attack and help the board understand more about the risks of not implementing appropriate cyber security measures.
(5) Align with your organization’s overall business strategy
Whatever metrics and cyber strategy you are discussing, it will be useless if it does not fit the overall strategy of the organization. Keep in mind, the board is mostly interested in the high-level strategy rather than technical details. So, all metrics should help show how it will help the organization achieve its business objectives. Before talking to the board, make sure you are familiar with the company’s overall strategy and objectives. This will help you make your case.
(6) Focus on the important points
Keep in mind, boards only meet periodically, and their time is precious. When reporting cyber metrics, it’s important to focus on the critical elements. The goal should be to get to the point as clearly and swiftly as possible. The board will appreciate a straightforward presentation and useful data.
(7) Adopt a risk-management approach when it comes to risk-management
Companies have limited resources to manage cyber risks. One of the board’s top priorities is to ensure that risks are properly managed. Make sure the metrics you are reporting will have a lasting impact on the board and the company. Metrics should focus on key strategies that can help improve the organization’s cyber security situation. By adopting a risk management approach and using appropriate metrics, the Board will understand the importance of their role.
(8) Make your case with significant and accurate metrics
Collecting facts and figures and being prepared to answer questions accurately is a must. When reporting metrics, Board members are likely to ask specific questions about the organization’s current cyber security strategy, how it has evolved in recent years, and how they can measure the level of risk exposure.
Data can be overwhelming. Be sure to find relevant figures and statistics to make your point. More is not always better. When discussing a change in cyber security strategy, metrics can make all the difference. For example, a new strategy may require an 8% budget increase, but will generate a measurable return on investment because risk exposure will decrease by 25%. Knowing the significant and verifiable figures and metrics will be key to convincing the board.
In order for a cybersecurity strategy to be effective and bring lasting change, CISOs need to be smart and prepared when discussing cyber security with the board of directors. Time spent with the board is often limited, so focus on the most important elements and rely on clear metrics to ensure cyber security is taken seriously.
If the metrics are clear, relevant, and linked to the company’s operations – the chance of getting the board’s support will be much higher.