Effectively communicating risk with the board can be challenging, especially when they ask tough questions like…
“Are we 100% secure?” during routine check-ins, or…
“How did this happen – what went wrong?” after an incident.
And you WILL get questions like these. In fact, Gartner recently listed five questions boards commonly ask that security executives should be prepared to answer1. Are you ready for them, or will you struggle compiling disparate data to present an educated response?
If the latter, then keep reading for 7 tips to clearly communicate risk with the board.
Tough Questions Your Board Will Definitely Ask
Gartner1 suggests you’ll likely also be asked:
- The incident question: “How did this happen? I thought you had this under control – what went wrong?”
- The landscape question: “How bad is it out there? What about what happened at X company? How are we doing compared to others?”
- The risk question: “Do we know what our risks are? What keeps you up at night?”
- The performance question: “Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?”
As you may suspect, the answers aren’t always as straightforward as the board might like.
How Do You Effectively Communicate Risk with the Board?
Use these 7 tips to prepare powerful responses to the board’s toughest questions.
Tip #1: Educate Leadership on Risk Management Fundamentals
Let’s take the question “Are we 100% secure?” as an example. This is also known as the trade-off question. It reveals that the person posing it is not familiar with information security. They don’t understand the balance between security, cost and convenience.
There is a trade-off between these factors. For example, if you want to mitigate risk, there is some cost associated with control implementation and perhaps the need to give up some convenience. That is certainly the case for multi-factor authentication (MFA). You need to pay for the MFA implementation and sacrifice the convenience of logging in with just a username and password.
Is your leadership willing to pay and sacrifice convenience to reduce and better manage the risk? Do they understand that you can never fully remove risk, but you can implement controls to manage risk and then continually reassess those controls. This is a great opportunity to educate your leaders on this fundamental risk management concept.
Tip #2: Take a Risk-Based Approach
In my prior experience as an Information Security Specialist, our team was asked the performance question (“Are we appropriately allocating resources?”) by the CIO on a regular basis. Depending on my mood, I would either mumble under my breath, roll my eyes or sigh heavily (all without being seen or heard of course!).
Then, we would compile metrics from our GRC tool to present the status of various remediation plans for control gaps, risks, threats and vulnerabilities. For instance, we would show the progress of applying patches to servers from the list of critical and high vulnerabilities produced by the scanning tool. We presented this as a way to decrease the likelihood of that vulnerability being exploited and not just a way to comply with PCI requirements.
Tip #3: Speak the Board’s Language
Whenever possible, you must highlight the business value of information security activities and investments when you respond to these types of questions from leadership teams.
It certainly can be a struggle to address these questions because oftentimes we’re not speaking the board’s language. They are focused on business growth, expansion and profitability. They operate in a world of cost and value. So, they’re not necessarily going to understand the value of a security control or faster patching. They need to understand the risk associated with their business objectives so they can clearly understand the value of cyber risk investments and prioritize them accordingly.
Tip #4: Quantify the Value of InfoSec Activities
This is where a shift in mindset is needed. We need to shift from how we are protecting our critical assets and data to how well we are protecting them.
Tip #5: Start with Your Business Priorities
Approach risk management by identifying your business priorities, then assess and reduce the risk of those activities. This approach enables you to break down silos, reduce complexity and communicate risk in a business context. This results in better communication and ultimately faster, more effective, data-driven decision-making.
You can communicate the value of your cybersecurity activities much more directly when those activities are tied to a business objective.
Tip #6: Use Cyber Assurance Programs
The key to this type of approach is to use cyber assurance programs (CAPs). These programs are a unique mix of processes, assets, requirements, risks, threats and providers focused on a business objective or priority. CAPs provide a single pane of glass into your risk and compliance postures while giving contextual insight.
Tip #7: Add the Reciprocity ROAR Platform to Your Arsenal
With the Reciprocity® ROAR platform, you can quickly and easily create these programs to empower your teams with the information and reporting capabilities they need to effectively communicate risk to the board.
Get the Full Picture First
Of course, you’ll want the full picture of your threat landscape before communicating risk to the board. That’s why it’s critical to surface unknown risks lurking behind blind spots. See how in this free white paper now.