Chapter 2
Communicating Cybersecurity Effectively to the Board
Chapter Overview
The chapter “How is the Board Informed” discusses strategies for effectively informing the board about cybersecurity matters. Key highlights include the role of the CISO, regular reporting on cybersecurity metrics and incidents, establishing a reporting cadence, maintaining proper documentation, dedicating time for cybersecurity discussions during board meetings, providing training and education to board members, and providing updates on incident response activities. These strategies aim to ensure the board is well-informed and equipped to make informed decisions regarding cybersecurity.
Contributors
Chapter 2
Communicating Cybersecurity Effectively to the Board
Communicating Cybersecurity Effectively to the Board
In an organization, a cyber-aware Board is the first step towards cyber protection. With the increasing regularity and complexity of cyberattacks, it is no longer a question of if but when an organization will find itself the victim; a Board that provides cybersecurity oversight is a critical requirement to ensure appropriate management of cyber risks.
But is cyber awareness enough?
Mitigating cybersecurity risks after an event has occurred is only half the battle won. Organizations must think beyond cyber protection and switch to being proactive rather than reactive. Building cyber resilience – the strength to withstand a cyberattack without sustaining damage – should be an organizational goal. Being proactive in its cybersecurity measures, an organization will be well prepared for recovery measures and business continuity.
To lead a cyber resilient organization, the Board has to take the next step after awareness – build a clear plan aligned with its strategic goals. To this end, it is vital that the Board is fully informed on a regular basis of the organization’s cybersecurity strategies, requirements, and overall landscape.
One of the major challenges most organizations face is the lack of a proper channel of communication between the Board and the cybersecurity committee/experts. Whatever the size of the organization or the industry they are in, keeping the Board informed must follow a well-oiled framework.
A few larger organizations have a reporting schedule of once or twice a year where the CISO gets an audience with the Board to explain the wins and losses of their cybersecurity program. Ad hoc discussions are hastily arranged when there is a cyber event.
But with the growing threats and the subsequent need to strengthen compliance and regulations, this might just not be enough.
The Role of the CISO
While the CIO is responsible for the overall IT strategy, the CISO – who reports to the CIO – is specifically responsible for cyber risk reduction. Hence, it is important that the CISO has direct access to the Board where they have the opportunity to present their findings, evaluations, and recommendations without the restrictions of the red tape.
A CISO-to-the-Board access opens up avenues to open discussions and productive dialogues, elevating the CISO from the role of a cybersecurity expert to that of a cybersecurity advisor. It also ensures that the CISO’s responsibility is not just limited to keeping the Board informed on a quarterly or yearly basis but to keep an open and transparent channel active around the year.
On the other hand, the Board must conduct in-depth one-on-one discussions with the CISO on a regular basis to not just stay updated on the organization’s cybersecurity hits and misses but also to understand how the cybersecurity program is progressing.
How to Keep the Board Informed
Keeping the Board informed doesn’t begin and end with reporting or a few ad hoc discussions. To create a cyber capable Board, there must be a committed strategy to communicate efficiently with them. The dedicated cybersecurity committee and the Board must establish a two-way bridge in which the knowledge flow is consistent and transparent.
Regular Reporting
To ensure that cybersecurity concerns and strategies receive the limelight they need, it is important to establish a regular cadence with the Board. The cybersecurity committee/stakeholders should take special care in communicating the updates in a clear and concise manner. They need to refrain from overusing technical jargon. The Board takes more of a business approach rather than a technical one and hence, any information presented must be from a business perspective.
Establish a Three-Tier Cadence
- A more focused cadence with specific committee members who have complete visibility into the organization’s cybersecurity environment.
- Regular engagement with a specific set of Board members who can be considered/nurtured as the Board’s cyber experts.
- A full-fledged Board meeting following the calendar.
The inhouse reporting cadence must always include what changed from the previous quarter to the current quarter in terms of the organization’s risk profile.
Regular, comprehensive meetings like these will help the Board have a strong grasp on the cyber landscape, provide them with the necessary know-how to understand the risks, and enable them to make informed decisions on behalf of the organization.
Ensure Proper Documentation
When reporting to the Board, clarity is a key factor. The information presented must be easy to understand, have all the factors needed to take action, and provide recommendations on the way ahead. A few steps that can be included while reporting to the Board are:
- Executive Summary: The key takeaways can be presented as an executive summary, highlighting the current threat landscape and how the organization is poised to navigate it. Summarizing the key points will help the Board quickly grasp what is required of them instead of having to wade through a sea of technical jargon.
- Clear Goals: The organization’s cybersecurity objectives and goals must be clearly stated in any reports presented to the Board. This will help them map the direction of the actions and whether they align with the organization’s overall cybersecurity strategies.
- Threat Landscape: Perhaps the most important factor to be presented, this section should provide all updates on the current threat landscape and emerging cyber threats that the organization must watch out for. This is also where any significant previous cyber incidents can be covered, and their progress measured.
- Security Initiatives: Another key factor in these cadences is the updates on recent security initiatives underway and plans for new ones. The updates on ongoing security initiatives can include enhancements to the current security strategies or any improvements suggested.
- Resource Requirements: This will be a good time and place to present any requirements for financial, technical, or human resources. An overview of cybersecurity spend will be a good addition to the report to highlight the request for budget allocation.
- Regulatory and Compliance Updates: Discuss any relevant changes or updates on cyber laws and regulations pertaining to your industry. This is an important inclusion as it could impact the organization’s cybersecurity posture. This will also help the Board to evaluate whether they need to change their approach to adhere to these changes.
- Cybersecurity Recommendations: And last, but not least, the cybersecurity committee can propose their suggestions and recommendations to improve the organization’s security posture. They can also address any changes required to the existing strategies and approaches to ensure that the organization is on its way to being cyber resilient.
Dedicated Cybersecurity Board Discussions
Focused board meetings on cybersecurity involving the cybersecurity committee and the Board will give a much-needed one-on-one time between the two parties. During these dedicated sessions, the cybersecurity committee can provide in-depth details on the organization’s cybersecurity posture and whether the strategies are poised to provide the required level of defense against threats.
These workshops can also work as the perfect time to delve deep into new security initiatives, evolving threats, and any recent significant breaches.
The Board can also conduct in-depth one-on-one discussions with the CISO in the absence of a cybersecurity committee.
If the organization is employing the services of a virtual CISO (V-CISO), the Board can have regular interim check-ins with them, rather than waiting for the quarterly update.
Training and Education
- Communicate to the Board on their role in managing the organization’s cybersecurity posture.
- Educate the Board on the need for a proactive approach to cybersecurity.
- Drive home the impact of potential cybersecurity breaches through real-world case studies.
These training sessions can be conducted inhouse by the CISO or an external expert can be brought in to provide a broader perspective, unrestricted by the organization’s profile.
As discussed briefly in the previous chapter, encouraging the Board members to take part in cybersecurity webinars and events and networking with peers about the topic will help create an external ecosystem of experts.
Incident Response Updates
Most organizations have ad hoc meetings in the face of unprecedented scenarios, emergency meetings in the event of a cyberattack. The cybersecurity committee and the CISO must be on their toes to evaluate the impact of the attack and work on the mitigating measures. The Board must be kept informed regularly on the progress and the effectiveness of the incident response process.
The cybersecurity committee and the Board must work together to ensure that the organization’s assets are not compromised and no sensitive information is breached.
Once the incident has been neutralized and disaster averted, regular follow-ups must be undertaken on the ongoing remediation efforts. This is where documenting the lessons learned from the cyberattack will add value as they serve as a stepping stone to future resilience plans.
These lessons can be incorporated into the organization’s cybersecurity strategies to ensure the event is not repeated and that the organization is resilient in the face of another attack.
Keeping the Board fully informed on matters of cybersecurity will help to promote transparency, trust, and accountability. And, what’s more, it enables the Board to play the part it is supposed to play – provide cybersecurity oversight and build cyber resilience.
Once they are cyber aware and are fully informed on the cybersecurity landscape of the organization, how does the Board act to fulfil its duties. We will cover this in the next chapter.