How to explain cyber risks to your leadership team
When it comes to communicating cybersecurity risks to boards and executive leadership teams, IT professionals need to learn a whole new type of programming language.
As businesses rapidly digitise virtually every aspect of their operations, the potential fallout of data breaches and ransomware attacks has exponentially increased. But while everyone now understands that cybersecurity is important (at least in theory), not everyone at the top of the org chart is particularly tech-savvy.
A recent Accenture study, for instance, analysed almost 2,000 directors at more than 100 large banks and found that only 10 per cent of board directors and 10 per cent of chief executive officers on boards had any IT experience, and a third of the world’s biggest banks still have absolutely no board members with professional technology experience.
Jamie Wilson, Executive Chairman and Founder of Cryptoloc, says he sees far too many leadership teams taking a laissez-faire approach to cybersecurity, particularly as businesses migrate to the cloud.
“When you push your operations to the cloud, you’re using third-party providers, and that opens you up to a whole lot of vulnerabilities,” he says. “What I often see is that people don’t take enough time to investigate those third-party solutions – they just trust that their cloud provider is secure, and they’re actually not.”
Establishing a common language with high-level execs to educate and advise them about cyber risks can be a significant challenge, but it’s often the only way to get the resources you need – so here are a few ways to get the board on board with cybersecurity.
Don’t bury your message in technical jargon
The technical jargon that tends to be beloved by IT departments can make it difficult for organisations to have the necessary conversations about cybersecurity.
To avoid falling down a rabbithole of detailed technical explanations and giving yourself a front-row seat to a room full of executives with their eyes glazed over, outline cybersecurity risks in terms of the damage a cyber attack could do to the smooth operation of the business, not to systems that nobody outside the IT department is likely to have a grasp of.
“You’ve got to remember that these are not necessarily technical people,” Jamie says. “You have to be able to explain the problem to your grandmother, and put it in terms that she’ll understand.”
When explaining the importance of encryption and the risks posed by social engineering scams like phishing, for instance, Jamie says he likes to “paint a picture of a house”.
“What does the perfect home security system look like? You’ve got CCTV cameras, you’ve got bars and security screens on the windows, you’ve got double deadlocks on the door, you’ve got a massive fence and you’ve got a couple of vicious dogs. Those are your perimeter controls.
“But the weakest link in that security system is the person who’s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it’s the same with an employee who opens a phishing email, or connects to the wrong IoT device – before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can’t protect you.
“In that situation, you have to rely on your internal controls, which include encrypting and backing up your data so you don’t lose any sensitive information in the event of an attack.”
Use the language of risk management
Your typical board member might not be able to configure a firewall, but they do understand their fiduciary responsibilities and the ever-present language of risk management.
To capture their attention, focus on actual risks to business operations, the likelihood and repercussions of those risks, and the cost of mitigating those risks compared to the cost of doing nothing.
You could enlist the help of a risk management professional who’s well-versed in couching risks in those terms for executives, but if that’s not possible, make sure you clearly prioritise the risks for the board, instead of presenting them with an amorphous jumble of possible scenarios.
As noted in a recent ISACA white paper on reporting cybersecurity risks to boards, “Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritised using quantitative measurement that is in a familiar format for executives.
“The members of board committees are adept at managing financial measurements. The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk.”
One sticking point here is that many businesses simply don’t understand what’s at risk, because they don’t understand the value of their digital assets.
“Before you know it,” Jamie says, “the board is saying, ‘well, let’s do something’, because they know it’s their duty to do something, but they’re doing it without understanding the implications.”
Telstra’s ‘Five Knows of Cybersecurity’ provide a guide to the five things organisations must know to effectively manage their risk:
- Know the value of your data.
- Know who has access to your data.
- Know where your data is.
- Know who is protecting your data.
- Know how well your data is protected.
If you can answer these five questions for your leadership team, it will underscore just how crucial cybersecurity is to your organisation and highlight what needs protecting.
Give them solutions, not problems
Board members didn’t get where they are by wallowing in problems that can’t be solved. They expect solutions and they expect results, so when you talk to them about cyber risks, make sure you also talk to them about your plan to prevent, detect and mitigate those risks.
Of course, they don’t want or need to know every technical detail – “that’s information overload,” Jamie cautions. But they do want and need to know their business is going to keep operating in the face of cybersecurity challenges.
Be upfront about the costs, and don’t shy away from the fact that cybersecurity is an ongoing investment. While it’s obvious to you that security solutions need to keep pace with changing digital infrastructures and systems, it might not be obvious to an exec who’s expecting a quick set-and-forget fix.
To give yourself a benchmark that you can share in relation to how your company performs against its competitors, align your solution with widely-used certifications and frameworks – Cryptoloc’s patented encryption technology, for instance, is ISO-certified.
Make your company’s adherence to best practices a selling point, so that cybersecurity spending stops being something that your leadership team is grudgingly forced to commit to and starts being seen as the worthwhile investment that it is.
In today’s business landscape, you’ll find that most boards are willing to be convinced of the importance of cybersecurity – but it’s up to you to sell them on the right solutions.