Talking cybersecurity with the Board of Directors

Every discipline has its own language, and those who are fluent in it can sometimes forget that it doesn’t make sense to everyone else. Cybersecurity professionals are often guilty of this, and it does them no favours – especially around the boardroom table.

At a time when cybercrime is more prevalent and noxious than ever before, and when regulators globally are demanding organisations take more accountability for cybersecurity, ensuring those who govern the organisation understand the threats, and how they are mitigated, is critical. That’s because robust cybersecurity is as necessary as robust health and safety, and senior leadership are ultimately responsible and liable – for both.

Yet unlike most health and safety risks, where communicating issues is relatively straightforward (e.g. at a building site there are many unseen hazards, so everyone entering it must wear a hard hat and a safety vest), cybersecurity is complex, technical, and ever-changing. Little wonder that in discussions with the board, cybersecurity professionals often commit three crucial errors.

1. They fail to align their cybersecurity roadmap to the business roadmap. For example, at Spark, when creating our cybersecurity strategy, we look first at what the business priorities are. (You can learn more about this approach in the article Combatting cybercrime with a robust cybersecurity strategy.)
2. They not only speak in jargon that board members don’t understand, but they provide monthly metrics that are meaningless to them and are often backwards-looking.
3. They don’t provide the context for the information they present, for example, why a certain metric makes the organisation weaker or stronger.

As a consequence of these errors, organisations often do one of two things.

They aim for the minimum requirement, what will be required to pass the audit and compliance needs, gain IS 27000 standards for information management security and consider it ‘job done’. Or they throw a whole bunch of money at cybersecurity, adopting the latest technology to try and boost their security posture but fail to make a real difference. Investments like this can put strain on your budgets and leave little resource for other effective security measures.

Spark recently asked New Zealand businesses about their investment in cybersecurity. 56% of New Zealand organisations indicated cybersecurity as a priority for investment in the next 12 months. To ensure they get value for money, they have to first work out what the risks are, and how they can be mitigated in a way that reflects the level of risk and makes the most of the organisation’s limited resources.

It sounds simple, and in many ways, it is, but only when cybersecurity professionals realise that to succeed, they can no longer just talk amongst themselves. They have to find a way to bring the board into the conversation.

As a starting point, here are my ‘top 10’ questions that we ask ourselves at Spark, and for which we seek plain-language answers to. Answers, which have data to back them up, provide context in terms of how they relate to overall business goals and strategy, and which produce meaningful, measurable metrics so our board easily grasps the situation presented to them each month.

1. How secure are we?
2. How do we rank versus other peers/competitors/partners in our business vertical?
3. What are our strongest (or weakest) security issues?
4. What are our most significant threats or risks, and what are we doing about them?
5. Are we spending the right amount on security?
6. Are our security capabilities deployed optimally?
7. Are we meeting the standard of reasonable care?
8. Are we resilient?
9. How will we cope with some of the most commonly seen threats?
10. Are we able to meet our compliance and regulatory obligations?

Some of these questions are straightforward; others will take a lot more time to determine and are more likely to change over time. For example, the question ‘are we spending the right amount on security?’ This is very similar to working out if the organisation is spending the right amount on insurance cover. When do you tip over from sensible protection into overspending? It’s a judgement call, but one that can only be made after careful consideration of the data and other relevant information.

The good news is that there is help at hand, as determining cybersecurity metrics that the board and the rest of the organisation, can understand and support is becoming increasingly important. When you partner with a trusted Managed Security Service Provider, such as our team at Spark, we can assist you with developing meaningful metrics for your board.

There is also a growing body of information and advice in this area from global analyst firms. Gartner® has developed a new approach it calls Outcome Driven Metrics (ODMs), which - as you might expect - are designed to measure the outcomes of security investments. As per Gartner, Inc. “These metrics serve as value levers to manage business-led cybersecurity investments.

The goal is to achieve a desired level of cybersecurity readiness that aligns with the organization’s willingness to pay for it”.

- ‘The Gartner Cybersecurity Business Value Benchmark, First Generation’¹, Gartner, Inc.

“CIOs seeking to manage cybersecurity investment must use outcome-driven metrics. Gartner has defined 16 protection-level outcomes that create a foundation for effective collaboration with boards of directors, CISOs and CFOs.”.

Tools such as this are helpful in gathering the data required to ensure you are on the right path, but they are not enough on their own. Your suite of metrics is there to illustrate the journey your organisation is on; it is not the story itself. You as the storyteller have to find, develop, finesse, and communicate a compelling narrative that captures your board’s attention, and provides them with the confidence to invest in the areas of cybersecurity you identify as most important – ideally before the cybercriminals next strike.

ABOUT THE AUTHOR

Nyuk Loong Kiw is a proven information security professional with over 22 years’ experience in cybersecurity. His areas of expertise are network security, incident response, security design/architecture along with 10+ years team and technical leadership experience.^‍

¹Gartner, The Gartner Cybersecurity Business Value Benchmark, First Generation, Paul Proctor, Srinath Sampath, Paul Furtado, Patrick Long, Lisa Neubauer, Deepti Gopal, 14 September 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.