As the world becomes more aware of cybersecurity risks and issues, company boards need to become more aware of the issues that cybersecurity poses for their businesses. However, it can be difficult for non-technical people to learn the new terminologies and concepts. The question still remains on how we educate boards in cybersecurity, to the level that the board can understand cybersecurity risks and concerns, and be able to provide support and funding for cybersecurity initiatives.

Boards and IT concepts

Even though almost all businesses have IT systems and services, often a board may not understand the concepts and concerns around basic IT tools and capabilities. Many board members are selected for their governance and risk skills, and their financial and strategy skills – instead of an understanding of operational tools and systems. Digital Transformation initiatives have often been impacted by lack of board support and funding. Often assumptions or expectations by the board have resulted in Digital Transformation initiatives being considered a failure – even when there have been high levels of success. So, if boards have had trouble understanding major IT initiatives, how can we educate boards in cybersecurity issues that they need to understand?

Process to educate boards in cybersecurity

At a high level, CISOs and senior cybersecurity professionals need to ensure that they have a channel in to the board so that the issues can be raised. This may be through the CIO or another executive that already has a voice into the board, or it may be that a new relationship with a board member has to be sought. If you cannot provide papers or presentations to the Board, you will not be able to educate boards in cybersecurity. Once you are able to provide information to the board, you can work on the process to educate boards in cybersecurity.

Establish a connection

The board needs to trust that senior management has a long-term view of cybersecurity, with a strategic roadmap and robust plans in place to adequately protect information assets and IT systems, regardless of where and how new threats emerge. This two-way relationship is based on understanding that the board does not want to be brought problems for them to solve – after all, they are not the experts in cybersecurity. The board wants to see progress and status, and have a trust that the risks and issues have the adequate attention that they deserve.

READ ARTICLE:   Misunderstandings of Cloud

Make it business related

A trap that technical and IT people fall into when talking to boards or executives, is that they get too technical and use jargon or skip over explaining concepts. Cybersecurity is a business risk and not just a technology risk. However, as with other concerns such as Business Continuity and Disaster Recovery, it is tempting for boards to “palm off” the issue as being an IT responsibility. Instead, CISOs should ensure that the focus is on business risk and use business language or analogies, instead of bamboozling boards with technologies. Board members are unlikely to recognise product names, technologies or even companies. They will understand risk, reputational damage, fines and penalties, and impact to the business to be able to operate effectively.

Use the board’s understanding of health and safety to relate them to cybersecurity – near misses, reporting structures, investments in protective systems, duty of care, and follow-up responsibilities.

Many boards will already understand health and safety initiatives and responsibilities. Boards will have an agenda item of WHS / HS&E incidents and near misses, and they will understand the concepts of taking measures to protect people and the business with investments and initiatives. Use this approach to relate cybersecurity issues to them – reports of near misses need a culture and process for reporting issues, guard rails and protective systems need investment, the duty of care to the customers and employees, and the responsibility for follow-up reporting and statistics.

Be clear about what is being protected

What is being protected, and why? It is about the business’s ability to operate and grow, not about having high-quality cybersecurity tools and subscriptions. Your cyber tools are there for the purpose of protecting the business – are you in the business of having a world-class cyber capability? Don’t talk about products, technologies, version numbers and jargon. Focus on what is most important to the business, because that is the Board’s focus. Your responsibility is to protect customer data, employee information, trade secrets and patented processes, financial and competitive strategy information, and to ensure the ongoing operation and growth of the business. Your ‘why’ includes reputation and responsibility to customers and shareholders/stakeholders, to avoid litigation and fines, to continue to operate when competitors may be taken off-line. Ensure that the business is the focus, not how cool your use of technology is.

READ ARTICLE:   Microsoft StorSimple 8000 series review

Alert, but do not scare

A board will inherently have a focus on risk, but the problem with cybersecurity is that the risk will never go below “high”. No matter if you invest only $100, or $1Bn, the risk will always be “high”. The likelihood cannot be decreased or mitigated, as the landscape is always changing. The impact cannot be avoided or changed, as even a small breach can cause an impact to the business’ ability to operate, damage reputation, or may incur fines or other financial losses.

You can tell the board stories about breaches affecting other companies, throw statistics at them that show 75% of businesses fail within 12 months of a major breach, and make them aware of the criminal businesses that are constantly targeting them. But you need to temper this information to give the board confidence that you are taking the responsibility for taking actions and protecting the business.

The problem is cybersecurity risk will never go below “high”. No matter if your Cybersecurity budget is $100 or $1Bn, the risk will always be “high”.

Have a clear strategy

Boards approve strategy that is aligned to the organisation / data / technology strategies – so make the board and executive understand the technology. Have a clear and defined program of work to focus on continuous uplift of cybersecurity. Actively demonstrate progress and delivery outcomes and benefits. You are not with the board for a casual chat, you are telling them exactly what you are doing and what you need for the business.

Identify measures already underway

How are we protected already? Focus on the threats and the risks, not just compliance. You will want to use broad terminology like “firewalls” instead of product names, and ensure you cover items that the board already understands, such as “anti-virus” and policies and education. Be clear on what the critical assets are and what key controls for those items or systems are. Be transparent about effectiveness of key controls and how gaps are being treated. Ensure that ongoing activities such as education, patching, and scanning for new threats and risks are also mentioned.

Be clear on what support is asked for

Most often, you will want an action from the board. This could be more resources or money, or support for an initiative or strategy. You need to be clear on what you actually want the board to do, instead of just passing an issue to them. Take the Board on your journey, be clear on the strategy and the why. You may need to bring internal and external data and insights to the conversation, to bring depth and authority to the information and guidance that you provide.

READ ARTICLE:   Educated out of innovation

Protect them personally

We all know that the biggest cause of almost all cybersecurity breaches have been cause by people. Leaked credentials and poor password handling, people clicking on links in emails and adverts, the list goes on. Most board members and executives are a high risk of compromise because not only do they have lower knowledge and awareness, they also often have higher levels of access permissions and access to highly confidential and sensitive information. Ensure that you educate boards in cybersecurity by ensuring they know they have their own responsibilities and need to protect themselves, so that you can protect the business.

Never waste a good crisis

Major hacking incidents and virus outbreaks can be great for awareness – not just for the board and executive, but also for staff and customers. Password breaches and insider incidents can remind people that the threat is ever-present, and that user behaviour is the best protection from Cyber incidents.

Don’t confuse them with terminology

Too often, Boards are made up of people – how shall I say it – from a certain era. The Boomers in the Board will have extensive experience in business, but not necessarily have a good understanding of IT issues. It is an instinctual reaction from people to “glaze over” when they start hearing terminology and concepts that they are unfamiliar with. Analogies, basic terms, rephrasing in business terms or concepts that they are already comfortable – these are all techniques that can assist to educate boards in cybersecurity.

Related posts:

Copy Photos to OneDrive for Business
What is wrong with the Essential 8?
Embracing mistakes in cybersecurity
Save Money - by buying more disk
Share this knowledge