Business Daily Media

How to Communicate Cyber Risk to the Board

  • Written by Adam Palmer, Chief Cybersecurity Strategist, Tenable



While today’s digitally-connected world has elevated the global economy to new heights, one cannot ignore the fact that cyberattacks and data breaches have also become a frequent problem. Research has shown that cyberattacks are on the rise among organisations, with cybercrime costing the

Australian economy over $1 billion per year. The potential for cyber threats to cost organisations millions of dollars in cleanup, lost business and reputational damage clearly demonstrates the relationship between cyber risk and business risk. With so much at stake, CISOs, the entire C-suite, and the Board require insight into cyber exposure in the same way as other risks.

This practical guide will help CISOs communicate cyber risk to the C-suite and board of directors in a way that fosters a business-based dialogue for better, more informed decision making that focuses on maximising risk reduction.

Focus on critical risks

There’s a tendency to mistakenly follow a traditional “check-the-box” approach to addressing every risk. This is akin to chasing your own tail because it provides no visibility of actual risks and consumes valuable resources and time on vulnerabilities that have a low likelihood of being exploited.

Mature organisations have evolved from this archaic approach toward risk-based vulnerability management. Utilising threat intelligence, vulnerability research, and probability data allows a CISO to focus on critical risks. These are vulnerabilities that are actually at high risk of being exploited.

A 2019 study by McKinsey Consulting found that risk-based vulnerability management allows companies a potential risk reduction of 7.5 times above their original program, at no added cost.
                                                                              
Present the board with clear answers

Let’s be honest, when the C-suite or board of directors asks a CISO, “How secure are we?” the last thing they want is a long-winded answer. They expect insight into cyber risk in the same way as other operational areas, and with the same accuracy and predictability. 

Therefore, this is an opportunity for the CISO to present a measurable view of the organisation’s cyber risk exposure using internal and external comparative benchmarks. Consider using concise and understandable language suitable to guide strategic leadership decision-making by the board.

Cyberattacks have the ability to destroy an organisation’s reputation or competitive advantage, both of which are critical to the health of the business. Therefore, CISOs must be prepared to effectively communicate this message to the board and clearly explain how this risk is being addressed across the business unit, asset, and geo-location.

Channel resources appropriately

An effective CISO should measure success by risk reduction, not milestones or tool deployment. In a crisis, it is critical to know what controls are really effective. Demand assurance that the security team is focused on identifying and reducing critical vulnerabilities that pose a business risk.

Remediation actions should be prioritised to reduce the organisation’s cyber exposure. A CISO should drill down into specific vulnerabilities or assets to identify and support controls that are more effective and truly reduce risk.

Make cybersecurity risk management a living strategy

Consider meeting with the C-suite frequently to review risk priorities and strategy. Without a solid internal governance structure, organisations will have trouble building any success. 

Oversight of security may be led by the CISO, but the entire C-suite should drive a cross-team leadership approach. Security is a team effort and a moving process. It is linked to every part of business operations and therefore requires a cross-team governance structure to support the program and resolve critical decisions.

This also assures that the security strategy will be a flexible, living strategy, with critical internal leadership support. Utilise the insights from a risk-based vulnerability management approach to adjust strategy and investment based on critical vulnerabilities that pose the greatest business risk. 

Successfully get ahead of attackers

In the fast-moving environment of cybersecurity, where the entire business may be at risk,  organisations need to understand where to focus resources and investment to maximise their cyber risk reduction. At the same time, C-suite and boards of directors require a means to objectively measure cyber exposure. This should be in non-technical terms and allow business leaders to understand how they compare to their industry peers or other organisations with best-in-class security.

Adam Palmer, Chief Cybersecurity Strategist, Tenable

Business Today

Hunt and Brew launches Australia-first cold brew coffee

Australian boutique coffee maker Hunt and Brew has announced it will be sourcing the beans for its new “Australia” cold brew coffee from far north Queensland in a move that will make the company one of the largest buyers of ...

What you need to know about the Defense Production Act – the 1950s law Biden invoked to try to end the baby formula shortage

Biden invoked the Defense Production Act to help end the shortage of baby formula. AP Photo/David J. PhillipU.S. President Joe Biden on May 18, 2022, announced he is invoking the Defense Production Act to help end the shortage of ...

Baby formula industry was primed for disaster long before key factory closed down

Cities are trying to address the baby formula shortage with community drives.AP Photo/David J. PhillipThe conditions that led to a shortage of baby formula were set in motion long before the February 2022 closure of the Similac fa...

Utilising communication tech to alleviate employee burn out

Hybrid work solidified into the business model in 2021 – plain and simple. Jabra research revealed 42 per cent of employees last year requested leadership to help make their virtual workspace more comfortable. Employees are ...

Space Machines readies for liftoff securing launch services deal with SpaceX

SpaceX to carry Space Machines' Optimus Orbital Transfer Vehicle as part of its April 2023 mission. Optimus is one of the largest spacecraft built in Australia and furthers Australia’s sovereign capabilities toward in-space...

Deliver business benefits through operational excellence

As Australian businesses emerge from the pandemic lockdowns and draw up plans for growth, increasing numbers are adopting a strategy of operational excellence. Operational excellence involves everyone in an organisation and f...

Business Daily Media Business Development

Hunt and Brew launches Australia-first cold brew coffee

Australian boutique coffee maker Hunt and Brew has announced it will be sourcing the beans for its new “Australia” cold brew coffee from far north Queensland in a move that will make t...

NewsServices.com - avatar NewsServices.com

Utilising communication tech to alleviate employee burn out

Hybrid work solidified into the business model in 2021 – plain and simple. Jabra research revealed 42 per cent of employees last year requested leadership to help make their virtual wo...

David Piggott, Managing Director ANZ at Jabra - avatar David Piggott, Managing Director ANZ at Jabra

Space Machines readies for liftoff securing launch services deal with SpaceX

SpaceX to carry Space Machines' Optimus Orbital Transfer Vehicle as part of its April 2023 mission. Optimus is one of the largest spacecraft built in Australia and furthers Australia’...

Business Daily Media - avatar Business Daily Media

India's employee hostels are often like prisons – but young women garment workers don't always see it that way

Kavitha, 18, earns a living at a clothing factory in the southern Indian state of Tamil Nadu. Like many of her colleagues, she lives in accommodation provided by the factory, where she share...

Andrew Crane, Professor of Business and Society, University of Bath - avatar Andrew Crane, Professor of Business and Society, University of Bath

Shortage of workers threatens UK recovery – here’s why and what to do about it

For the first time since records began, there are more job vacancies in the UK than unemployed people, according to the latest monthly labour market figures. This has been driven mainly by a...

Donald Houston, Professor of Economic Geography, University of Portsmouth - avatar Donald Houston, Professor of Economic Geography, University of Portsmouth

A central bank digital euro could save the eurozone – here's how

Blockchain bailout?4K_HeavenThe European Central Bank and its counterparts in the UK, US, China and India are exploring a new form of state-backed money built on similar online ledger techno...

Guido Cozzi, Professor of Macroeconomics, University of St.Gallen - avatar Guido Cozzi, Professor of Macroeconomics, University of St.Gallen



NewsServices.com

Content & Technology Connecting Global Audiences

More Information - Less Opinion