Getting the Board on board: How to talk cyber risk to the C-Suite suits
Article by ExtraHop A/NZ regional sales manager Glen Maloney.
While COVID-19 is dominating discussions in boardrooms around the country, it’s not the only potentially deadly virus Australian business leaders need to concern themselves with this year. Rapid digitisation of all aspects of business operations in recent years has made cyber-compromise and attack critical risks for businesses of all stripes, in Australia and around the world.
As a consequence, cybersecurity chiefs have been thrust into the limelight; required to contribute to the conversation at the C-Suite and board levels, as companies grapple with the question of how best to protect themselves against an amorphous and continually evolving threat.
Educating and advising boards about cyber risks, and the security investment that’s necessary to mitigate them, can be no small challenge, particularly for security leaders who are more comfortable talking bits and bytes than business. Here are some ways to make the conversations impactful.
Banish fear, uncertainty and doubt by focusing on the facts
News reports of cyber attacks and data breaches are frequently sensational in nature and can strike terror into the hearts of those at the helm of businesses and organisations. Understandably so. No board member wants their name associated with the next Landmark White unravelling.
The listed property valuation firm, since rebranded Acumentis, had an annus horribilis in 2019, after it emerged that tens of thousands of records had been compromised in two separate incidents. Business was suspended by major clients and company earnings plummeted, as the firm scrambled to get a handle on the unfolding disaster.
For chief information security officers, successful engagement with the Board can begin with putting paid to their cyber-FUD – the fear, uncertainty and doubt they harbour about cyber incidents – by focusing on actual risk. Every business needs to measure its risk uniquely, and by outlining the specific risks faced by the organisation, along with their likelihood and likely repercussions, security leaders can make the issue more concrete.
Make resilience and recovery a focus
Board members are big picture people who are interested in hearing about solutions, not problems. That’s why it makes sense to balance discussion about cyber risks with information about prevention, detection, mitigation and recovery measures, including the organisation’s data breach response plan. No organisation is immune to high-tech attack, however robust its cybersecurity posture, so it’s important to home in on the detection and response mechanisms you’d deploy if, despite best efforts, the company experienced an incident.
Highlight the need for ongoing investment
It’s obvious to those who hail from the cybersecurity industry but to outsiders perhaps not so much. Cybersecurity posture isn’t one size fits all, nor a set-and-forget affair. Your organisation’s IT architecture will dictate the security technologies which need to be put in place. If its infrastructure and systems are changing, as they are in many Australian companies which have embarked on digital transformation journeys, security solutions need to change apace. Flagging this to the board helps put the need for regular security gap analysis and ongoing investment in new security technologies in context.
Talk about risk to business, not systems
ICT literacy levels are on the up and gone are the days when those at the top viewed the IT shop as a discrete backroom function. Nevertheless, it can be helpful to reinforce the fact that protecting systems means protecting the business; both its smooth operation and its reputation. Getting into specifics can help hammer the point home – for example, by explaining how incident response speed and accuracy help bolster customer trust when reporting data privacy incidents within 72 hours, as required under GDPR.
Keeping the conversation focused on business benefits can also reposition cybersecurity spending in a more positive light: less grudge purchase and more positive investment in business continuity and profitability.
Staying in lockstep with business leaders to secure the future
The risk posed to Australian business by cybercrime is real and rising – research published by PwC in 2018 revealed it’s now viewed as the most disruptive economic crime of the day and the greatest threat to growth prospects – and, as the economy continues to digitise, that’s unlikely to change.
Board-level backing for the tools, technologies and human resources needed to protect the enterprise can place your company on a stronger footing and reduce its likelihood of becoming a cybersecurity statistic. For forward-thinking CISOs, it’s time to step up and lead the conversation.