Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.
But situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.
In this piece, we talk about the best practices to effectively communicate cyber security to the board and management.
Be in your audience’s shoes: Talk in the language of the board and quantify cyber risks.
As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations use any quantitative risk evaluation tools at all while the other half said they still rely largely on the experience of their cyber experts or maturity assessments.
Communicate the severity and losses of not having a robust cyber security program
According to the World Economic Forum's Global Risks Report, data fraud, data theft and cyber attacks are among the top five biggest risks world faces. That's because of the huge business impact of cyber attacks. For example, it cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations. Verizon paid $350 million less in its acquisition of Yahoo after the tech company suffered two cyber attacks.
Use simple language: Build trust and engage leadership.
Again, it’s very important to keep in mind to use simple language and avoid technical jargons as much as possible when presenting to the board or trying to make your point to any non-technical C-suite executive.
Be prepared to face any kind of objections and questions.
When security leaders are preparing for a presentation to a board or C-suite executives, they must be ready to face all kinds of non-tech, and sometimes, technical questions.
In summary, it’s critical for CISOs and security leaders to communicate the value of cyber security effectively. If CISOs are unable to communicate and quantify their cyber security program, priority projects don’t get funded which leads to increased breach risk. Fortunately today, there are many tools on the market that significantly improve a CISOs’ ability to effectively and systematically report to the board.
Amit S Bhadauriya, Manager, Product Marketing, MetricStream, is a product marketing enthusiast for IT Governance, Risk and Compliance (IT GRC) , and cyber security technology, products and services.