How to Present Cyber Risk to Your Board: 4 Essential StepsIT Risk & Cyber Risk | 5 Min Read |09 May 23|by Patricia McParland
Today’s boards don’t need to be convinced that cyber risk management is important. 88% of boards of directors view cybersecurity as a business risk, according to the 2021 Gartner Board of Directors Survey. Over half (51%) of board members surveyed by PwC cite cyber-attacks as a serious risk (and another 35% as a moderate risk) – more than any other category. Also, 68% of directors told MIT Sloan researchers that their board discusses cybersecurity regularly or constantly.
Despite this, only 33% of directors say they think their board understands the company’s cybersecurity vulnerabilities very well. What’s more, boards are often out of sync with their CISOs. Sixty-five percent of board members surveyed by Proofpoint and MIT Sloan believe that their organization is at risk of a material cyber-attack in the next 12 months, compared to 48% of CISOs.
Clearly, there is room for improvement in aligning board members with your cyber risk strategy. Here are four tips that you, as a cyber risk or security leader, can use to communicate cyber risks to your board in a way that gets them in sync with your vision, helps them understand what’s at stake, and drives them to bolster your organization’s cyber defenses.
- Focus on Business Impact
While today’s boards are much more cyber-savvy, it’s still important to convey risks in a language that everyone understands. Keep your presentation simple, minimizing technical speak. Focus instead on the business metrics and impacts that matter most to the board.
For example, instead of presenting a list of vulnerabilities and threats, you might want to talk about how these issues will impact the organization’s revenue, reputation, and strategy.
Map out the attack surface, so the board can clearly visualize which threats are most critical, which pathways they can take through the organization, and which assets are most at risk. Support your case with real-world breach stories and the losses faced by peers in your industry.
Also, remind your board that cyber risk management is about more than securing data. With increasing digitization, more processes are going online, more operations are being managed remotely, and more systems are being connected. So, a threat anywhere along this chain can have a devastating snowball effect. The more clearly boards understand this, the faster they can act.
- Quantify the Cyber Risks
Words don’t always make a compelling cyber case – but numbers do, especially financial numbers. If you want your board to invest more in cyber risk management, find a way to quantify the monetary impact of risks. Saying that a ransomware attack could be “fairly severe and fairly likely to occur” is far less impactful than saying that a ransomware attack could cost the organization $1 million with a 60% chance of that loss occurring.
Cyber risk quantification makes it easier to answer the board’s questions on how much to invest in cybersecurity, what the return on investment will be, and which risks to focus on first. It also helps companies measure how much of risk reduction has been achieved over time.
There are plenty of tools and frameworks to assist with cyber risk quantification. The Factor Analysis of Information Risk (FAIR™) model can help you quantify security risk exposure in terms of the dollar value at risk. A Monte Carlo analysis simulates various cyber risk event scenarios so that you can predict potential financial losses from each one.
And of course – a picture is always worth a thousand words. Express your numbers in visuals and graphs for maximum understanding and impact.
- Expand the Conversation Beyond Technology
Boardroom conversations around cyber risk management often revolve around technology-based defenses and controls – be it firewalls, encryption software, packet sniffers, or vulnerability scanners. While these tools are essential, they’re just one part of the cybersecurity program. CISOs also need to be talking to boards about:
- Updating cybersecurity policies and procedures in line with the latest industry guidelines
- Running regular cyber risk training and awareness programs at all levels of the enterprise
- Making it easy for frontline employees to capture and report potential cyber risks
- Building a business continuity and recovery program in case a cyber-attack does occur
- Investing in sufficient cyber insurance coverage
The idea is to create multiple layers of protection, each supporting the other, and together providing a solid defense against cyber threats.
- Don’t Overlook Third Parties and IT Vendor Risks
The sheer number of IT vendors that we as organizations depend on for cloud services, data back-up, remote IT support, and more makes it essential to have a robust third party and IT vendor risk management program. Ensure that your board understands why. Showcase the impact of IT vendor risks in relation to enterprise risks.
Consider creating a centralized map of IT vendors, the business units they serve, where they operate, associated regulations, controls, etc. – so that the board has a clearer picture of the IT vendor risk universe and where to allocate resources for optimal impact.
Also, be prepared to answer targeted questions from the board, such as: How do you monitor fourth-party cyber risks? Do you conduct due diligence only at the beginning of the vendor relationship or at regular intervals? And how do you offboard IT vendors to ensure that they no longer have access to sensitive data?
5 other questions that the board seeks answers to:
- Which critical assets are most vulnerable to cyber risks, and how are we protecting them?
- How are we dealing with cyber risks that are not directly within our control?
- How do we stay up-to-date on the latest cyber threats and vulnerabilities?
- How does our cyber risk management program stack up against industry standards such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework?
- If a cyberattack were to occur, do we have a plan? And what should our (the board’s) role be?
How MetricStream Can Help
MetricStream CyberGRC gives you and your board comprehensive visibility into IT and cyber risks, assets, processes, and controls. Using our cyber risk quantification capabilities, you can swiftly measure the dollar impact of cyber risks to help your board prioritize their cyber investments more efficiently.
You also get powerful capabilities to assess cyber risks and controls, monitor the threat landscape, manage cyber compliance and policies, and keep IT vendor risks in check – all of which goes a long way towards strengthening the board’s confidence in your cyber risk management program.
Check out more resources on managing cyber risk:
eBook: CyberGRC Buyer’s Guide
Infographic: 7 Urgent Cyber GRC Challenges to Prepare for Now
Request a demo now!